diff --git a/Tools/Solutions Analyzer/README.md b/Tools/Solutions Analyzer/README.md index 235008761cc..25b131766cb 100644 --- a/Tools/Solutions Analyzer/README.md +++ b/Tools/Solutions Analyzer/README.md @@ -199,6 +199,57 @@ See the script documentation for details: ## Version History +### v9.10 - Schema reference documentation links for table pages + +**Schema references section added to table documentation:** +- Each generated table page now includes a "Schema References" section with official Microsoft Learn documentation links for field/column information. +- **Specific schema documentation** is provided for well-documented tables (e.g., SecurityAlert for security alerts, DnsEvents/DnsInventory for DNS via AMA) with dedicated reference pages. +- **General data source schema reference** is provided for all other tables as a fallback. +- The mapping is configurable via the `TABLE_SCHEMA_REFERENCES` dictionary in `generate_connector_docs.py`, allowing easy addition of new table-specific references. +- Current mappings include: + - `SecurityAlert` → [Security Alert Schema](https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema) + - `DnsEvents`, `DnsInventory`, `AMA_DNS` → [DNS AMA Fields Reference](https://learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields) + - All other tables → [Data Source Schema Reference](https://learn.microsoft.com/en-us/azure/sentinel/data-source-schema-reference) (general reference) +- Schema References section appears in the Table of Contents for easy navigation. + +### v9.9 - In-solution override flag for misclassified published connectors + +**Connectors with all tables filtered out no longer drop their solution from the index (`solutions_connectors_tables_mapping.csv`, `solutions-index.md`, `index.html`):** +- The mapper now **always** emits a placeholder mapping row when a connector produces zero table rows, regardless of *why* (no table tokens, parser-only tokens, failed table-name validation, or a `reported_table_exclusions` override). Previously only the `no_table_definitions` case kept a row; the other three drop reasons (`table_detection_failed`, `parser_tables_only`, `partial_parser_tables`) discarded the connector entirely. When such a connector was a solution's **only** connector, the whole solution vanished from the mapping CSV and therefore from `solutions-index.md` — even though its detail page was still generated. This regressed SlashNext, whose sole Function App connector (`SlashNextFunctionApp`) only references `AzureDiagnostics`/`AzureMetrics` health tables that the v9.9 `reported_table_exclusions` override drops. +- Both doc generators now **seed the index from the union of the mapping CSV and `solutions.csv`** as a safety net: any solution present in `solutions.csv` but absent from the mapping CSV is added with an empty-connector placeholder row so it can never be silently dropped from `solutions-index.md` (`generate_connector_docs.py`) or the interactive `index.html` (`generate_interactive_docs.py`). The placeholder carries an empty `connector_id`, so it adds no phantom connector to the connectors index. + +**Marketplace double-prefix publish-status fix (`solutions.csv`):** +- `check_marketplace_availability()` now builds the marketplace legacy ID via `_build_legacy_id()`, which uses `offerId` as-is when it is already prefixed with `.` instead of blindly forming `.`. Some `SolutionMetadata.json` files store the full legacy ID in `offerId` (e.g. `azuresentinel` + `azuresentinel.trendmicrocas`, `squadratechnologies` + `squadratechnologies.secrmmsentinel`). The previous logic produced a double-prefixed ID (e.g. `azuresentinel.azuresentinel.trendmicrocas`) that 404s, so those published solutions (Trend Micro Cloud App Security, Squadra Technologies SecRmm) were wrongly reported as `mp_is_published=false`. The marketplace cache key uses the same helper so cache hits match the API ID. + +**Marketplace filter-query fallback for republished offers (`solutions.csv`):** +- When the direct legacy-ID lookup 404s, `check_marketplace_availability()` now retries via a catalog `$filter` query keyed by `offerId` (new helper `_query_marketplace_by_offer_id()`), mirroring the official packaging flow in `.script/package-automation/catalogAPI.ps1`. The filter is scoped to Sentinel offers (`categoryIds` eq `AzureSentinelSolution` or `keywords` contains the Sentinel keyword GUID) and matches `offerId` exactly. This recovers solutions that were **republished under a different `publisherId`** than the one stored in `SolutionMetadata.json` (e.g. Zscaler Internet Access: `zscaler.zscaler_zia` → live `zscaler1579058425289.zscaler_zia`), so they are no longer mis-reported as `mp_is_published=false` and no longer need a per-solution `is_published=true` override. The fallback only *adds* recovery on a 404 — it never flips a published solution to unpublished. Solutions whose **`offerId` itself changed** in the marketplace (not just the publisher) are still reported unpublished and require a `SolutionMetadata.json` `offerId` correction. + +**Marketplace lookup-key overrides for renamed offers / metadata-less folders (`solutions.csv`):** +- `Solution`-scoped `solution_publisher_id` and `solution_offer_id` overrides are now applied to each solution **before** the marketplace availability check, redirecting *what* the public catalog API looks up rather than hard-coding the published verdict. This is the preferred fix when a solution ships under a different marketplace offer than its repo `SolutionMetadata.json` records — a renamed/re-published offer, a publisher hand-off, or a repo folder that carries no `SolutionMetadata.json` at all (e.g. Farsight DNSDB → `domaintoolsllc….farsight-dnsdb`, Synack → `synackinc….synack-sentinel-integration`). Because the published flag is then derived from the live public catalog, it self-corrects on future marketplace changes instead of being frozen by a blanket `is_published=true` override. The mapper still consults **only** the public marketplace catalog and never the authenticated Content Hub APIs. The standard solution-override pass continues to run later in the pipeline; this earlier pass narrowly targets the two lookup-key fields so marketplace status is resolved against the corrected offer id. + +**Removed all blanket `is_published=true` solution overrides (data only):** +- Eliminated the ~430 `Solution,…,is_published,true` override rows from `solution_analyzer_overrides.csv`. The combination of `_build_legacy_id()` (double-prefix fix), the `offerId` filter-query fallback, and the pre-check lookup-key redirects now resolves published status directly from the live public catalog for the vast majority of these solutions, so the blanket overrides were redundant. The remaining mismatches were verified against the public marketplace catalog and replaced with 11 `solution_publisher_id` / `solution_offer_id` lookup-redirect override pairs (Barracuda WAF, BitSight, Farsight DNSDB, Intel471, Lumen Defender Threat Feed, SailPointIdentityNow, SecurityScorecard Cybersecurity Ratings, Semperis Directory Services Protector, Synack, Egress Iris, OneIdentity). Solutions confirmed genuinely unpublished/superseded in the catalog now report `is_published=false` from live data rather than being masked. Net effect: connector/solution publish status is fully marketplace-authoritative and self-correcting, with no frozen verdicts. + + +- Added a computed `category_primary` column that maps each table to a closed reporting taxonomy — `Cloud`, `Endpoint`, `Syslog/CEF`, `3rd Party (SaaS)`, `Defender`, `ASIM`, `Internal`, `Unknown` — alongside the raw `category` string (kept unchanged for traceability). Two diagnostic columns mirror the `collection_method` family: `category_source` (provenance) and `category_candidates` (all distinct taxonomy values produced, ordered by precedence). +- Resolution combines **strong** signals (ASIM name prefix, `source_defender_xdr`, mapped doc-category tokens such as `AWS`/`GCP`/`Crowdstrike`/`Entra`/`MDE`/`Normalized`/`Syslog/CEF`) using a deterministic combo precedence (`Internal` > `Defender` > `ASIM` > `Endpoint` > `Syslog/CEF` > `3rd Party (SaaS)` > `Cloud` > `Unknown`), so combos like SigninLogs resolve to `Cloud` rather than `Defender`. **Weak** fallbacks (cross-derive from `collection_method`, `resource_types` → `Cloud`, and `_CL` chains) fire only when no strong signal exists. +- `_CL` custom-log tables are categorized via their feeding connectors' vendor/product (→ `3rd Party (SaaS)`) or, absent that, the feeding **solution's publisher tier** (partner/community/developer → `3rd Party (SaaS)`; Microsoft → `Cloud`). Solution-private storage tables are forced to `Internal`. `category_primary` is overridable via `Entity=Table, Field=category_primary` rows in `solution_analyzer_overrides.csv`. + +**`solution_categories` fix (`solutions.csv`):** +- The `solution_categories` column now lists the actual domain/vertical **values** from `SolutionMetadata.json` (e.g. `Security - Threat Protection`) instead of the JSON key names (`domains`, `verticals`). + +**ARM-expression table-name filter (`tables.csv`):** +- `is_true_table_name()` now rejects ARM-template expressions captured as literal table names (strings starting with `[` or containing `parameters(`/`variables(`), so placeholders like `[parameters('PlaybookName')]_CL` and `[variables('Sentinel_LogName')]_CL` no longer leak into `tables.csv` as bogus `_CL` rows. Previously these passed the `_CL`-suffix check and were emitted as real tables. + +**Connector table-source precedence and DCR normalization fixes (`connectors.csv`, `solutions_connectors_tables_mapping.csv`):** +- Companion files are now authoritative for table mapping: `*_Table.json` / `*_DCR.json` are applied first, query analysis runs only when companion files are absent, and `dataTypes` is now a fallback source (instead of Priority 0). This avoids over-trusting UI declarations when explicit DCR/table companion files are present. +- DCR extraction now treats `outputStream` as authoritative destination-table signal and uses `streams` only as fallback when `outputStream` is missing. This prevents input stream declarations from being misreported as extra ingested tables (for example Zscaler `nss_*` helper streams alongside `CommonSecurityLog`). +- `dataTypes` fallback extraction now expands placeholders (for example `{{graphQueriesTableName}}`) before resolving table tokens, improving coverage for connectors that parameterize table names in the UI config. + +**Override-driven "discovered" corrections (data only):** +- Added `not_in_solution_json=false` overrides for three published connectors that the mapper flags as "discovered" because of source-side gaps in their solutions: `MailGuard365` (solution has no `Solution_*.json` data file), `CiscoMerakiNativePoller` (absent from the `Data Connectors` list in `Solution_CiscoMeraki.json`), and `Pathlock_TDnR` (legacy root `Pathlock_TDnR.json` collides with the CCP definition in `Pathlock_TDnR_PUSH_CCP/` that the solution actually references). The overrides are an interim accuracy fix; the underlying solutions still need upstream correction (tracked in the reports folder). +- Documented `not_in_solution_json` as an overridable connector field in the override-system reference. + ### v9.8 - Artifact deep-links, connector/table accuracy, Learn deep-links, and faster HTML generation **New artifact deep-link CSV + Kusto upload:** diff --git a/Tools/Solutions Analyzer/_build_connector_history_xlsx.py b/Tools/Solutions Analyzer/_build_connector_history_xlsx.py new file mode 100644 index 00000000000..45de4395cd9 --- /dev/null +++ b/Tools/Solutions Analyzer/_build_connector_history_xlsx.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python3 +"""Build connector_history.xlsx from connector_history.csv. + +Produces a workbook with: +* "Data" — the full CSV, styled header, frozen panes, auto-filter. +* "Stock" — a line chart of active / deprecated / total connectors over time. +* "Flow" — a column chart of connectors created vs updated per month. + +Charts reference the Data sheet live, so editing the data updates the charts. +""" +from __future__ import annotations + +import csv +from pathlib import Path + +from openpyxl import Workbook +from openpyxl.chart import BarChart, LineChart, Reference +from openpyxl.styles import Alignment, Font, PatternFill +from openpyxl.utils import get_column_letter + +HERE = Path(__file__).resolve().parent +CSV_PATH = HERE / "connector_history.csv" +XLSX_PATH = HERE / "connector_history.xlsx" + +HEADER_FILL = PatternFill("solid", fgColor="1F4E78") +HEADER_FONT = Font(bold=True, color="FFFFFF") + + +def main() -> int: + with open(CSV_PATH, newline="", encoding="utf-8") as f: + reader = csv.reader(f) + rows = list(reader) + header, data = rows[0], rows[1:] + + wb = Workbook() + ws = wb.active + ws.title = "Data" + + # Header. + ws.append(header) + for col_idx, _ in enumerate(header, start=1): + cell = ws.cell(row=1, column=col_idx) + cell.fill = HEADER_FILL + cell.font = HEADER_FONT + cell.alignment = Alignment(horizontal="center") + + # Data, coercing numeric columns to int. + numeric_cols = { + header.index(c) + for c in ( + "active_connectors", "deprecated_connectors", "total_connectors", + "connectors_created", "connectors_updated", + ) + if c in header + } + for record in data: + out = [] + for i, value in enumerate(record): + if i in numeric_cols and value != "": + out.append(int(value)) + else: + out.append(value) + ws.append(out) + + ws.freeze_panes = "A2" + last_col = get_column_letter(len(header)) + ws.auto_filter.ref = f"A1:{last_col}{len(data) + 1}" + for col_idx, name in enumerate(header, start=1): + ws.column_dimensions[get_column_letter(col_idx)].width = max(14, len(name) + 2) + + n_rows = len(data) + cats = Reference(ws, min_col=header.index("month") + 1, + min_row=2, max_row=n_rows + 1) + + # Stock chart (line). + stock_ws = wb.create_sheet("Stock") + stock = LineChart() + stock.title = "Connectors over time (as of 1st of month)" + stock.y_axis.title = "Connectors" + stock.x_axis.title = "Month" + stock.height = 12 + stock.width = 28 + # openpyxl defaults axes to delete=True, which hides tick labels/titles. + stock.x_axis.delete = False + stock.y_axis.delete = False + stock.legend.position = "b" + for name in ("active_connectors", "deprecated_connectors", "total_connectors"): + col = header.index(name) + 1 + ref = Reference(ws, min_col=col, min_row=1, max_row=n_rows + 1) + stock.add_data(ref, titles_from_data=True) + stock.set_categories(cats) + stock_ws.add_chart(stock, "B2") + + # Flow chart (column) — only if the flow columns exist. + if "connectors_created" in header and "connectors_updated" in header: + flow_ws = wb.create_sheet("Flow") + flow = BarChart() + flow.type = "col" + flow.grouping = "clustered" + flow.title = "Connectors created vs updated per month (merges to master)" + flow.y_axis.title = "Distinct connectors" + flow.x_axis.title = "Month" + flow.height = 12 + flow.width = 28 + flow.x_axis.delete = False + flow.y_axis.delete = False + flow.legend.position = "b" + for name in ("connectors_created", "connectors_updated"): + col = header.index(name) + 1 + ref = Reference(ws, min_col=col, min_row=1, max_row=n_rows + 1) + flow.add_data(ref, titles_from_data=True) + flow.set_categories(cats) + flow_ws.add_chart(flow, "B2") + + wb.save(XLSX_PATH) + print(f"Wrote {XLSX_PATH}") + print(f"Sheets: {wb.sheetnames}") + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) diff --git a/Tools/Solutions Analyzer/artifact_doc_links.csv b/Tools/Solutions Analyzer/artifact_doc_links.csv index 76dca6d5667..e6872473abd 100644 --- a/Tools/Solutions Analyzer/artifact_doc_links.csv +++ b/Tools/Solutions Analyzer/artifact_doc_links.csv @@ -6,6 +6,7 @@ asim_parser,asimalertevent,asim/asimalertevent.md,asim/asimalertevent.html,Solut asim_parser,asimalerteventbitdefendergravityzone,asim/asimalerteventbitdefendergravityzone.md,asim/asimalerteventbitdefendergravityzone.html,Solutions Docs/asim/asimalerteventbitdefendergravityzone.md,Solutions Docs/asim/asimalerteventbitdefendergravityzone.html asim_parser,asimalerteventciscosecureendpoint,asim/asimalerteventciscosecureendpoint.md,asim/asimalerteventciscosecureendpoint.html,Solutions Docs/asim/asimalerteventciscosecureendpoint.md,Solutions Docs/asim/asimalerteventciscosecureendpoint.html asim_parser,asimalerteventmicrosoftdefenderxdr,asim/asimalerteventmicrosoftdefenderxdr.md,asim/asimalerteventmicrosoftdefenderxdr.html,Solutions Docs/asim/asimalerteventmicrosoftdefenderxdr.md,Solutions Docs/asim/asimalerteventmicrosoftdefenderxdr.html +asim_parser,asimalerteventpaloaltoxdr,asim/asimalerteventpaloaltoxdr.md,asim/asimalerteventpaloaltoxdr.html,Solutions Docs/asim/asimalerteventpaloaltoxdr.md,Solutions Docs/asim/asimalerteventpaloaltoxdr.html asim_parser,asimalerteventsentinelonesingularity,asim/asimalerteventsentinelonesingularity.md,asim/asimalerteventsentinelonesingularity.html,Solutions Docs/asim/asimalerteventsentinelonesingularity.md,Solutions Docs/asim/asimalerteventsentinelonesingularity.html asim_parser,asimassetentity,asim/asimassetentity.md,asim/asimassetentity.html,Solutions Docs/asim/asimassetentity.md,Solutions Docs/asim/asimassetentity.html asim_parser,asimauditevent,asim/asimauditevent.md,asim/asimauditevent.html,Solutions Docs/asim/asimauditevent.md,Solutions Docs/asim/asimauditevent.html @@ -195,6 +196,7 @@ asim_parser,asimwebsessioniis,asim/asimwebsessioniis.md,asim/asimwebsessioniis.h asim_parser,asimwebsessionnative,asim/asimwebsessionnative.md,asim/asimwebsessionnative.html,Solutions Docs/asim/asimwebsessionnative.md,Solutions Docs/asim/asimwebsessionnative.html asim_parser,asimwebsessionpaloaltocef,asim/asimwebsessionpaloaltocef.md,asim/asimwebsessionpaloaltocef.html,Solutions Docs/asim/asimwebsessionpaloaltocef.md,Solutions Docs/asim/asimwebsessionpaloaltocef.html asim_parser,asimwebsessionpaloaltocortexdatalake,asim/asimwebsessionpaloaltocortexdatalake.md,asim/asimwebsessionpaloaltocortexdatalake.html,Solutions Docs/asim/asimwebsessionpaloaltocortexdatalake.md,Solutions Docs/asim/asimwebsessionpaloaltocortexdatalake.html +asim_parser,asimwebsessionsalesforceservicecloudv2,asim/asimwebsessionsalesforceservicecloudv2.md,asim/asimwebsessionsalesforceservicecloudv2.html,Solutions Docs/asim/asimwebsessionsalesforceservicecloudv2.md,Solutions Docs/asim/asimwebsessionsalesforceservicecloudv2.html asim_parser,asimwebsessionsonicwallfirewall,asim/asimwebsessionsonicwallfirewall.md,asim/asimwebsessionsonicwallfirewall.html,Solutions Docs/asim/asimwebsessionsonicwallfirewall.md,Solutions Docs/asim/asimwebsessionsonicwallfirewall.html asim_parser,asimwebsessionsquidproxy,asim/asimwebsessionsquidproxy.md,asim/asimwebsessionsquidproxy.html,Solutions Docs/asim/asimwebsessionsquidproxy.md,Solutions Docs/asim/asimwebsessionsquidproxy.html asim_parser,asimwebsessionvectraai,asim/asimwebsessionvectraai.md,asim/asimwebsessionvectraai.html,Solutions Docs/asim/asimwebsessionvectraai.md,Solutions Docs/asim/asimwebsessionvectraai.html @@ -227,6 +229,7 @@ connector,airlockdigitalconnector,connectors/airlockdigitalconnector.md,connecto connector,aivectradetect,connectors/aivectradetect.md,connectors/aivectradetect.html,Solutions Docs/connectors/aivectradetect.md,Solutions Docs/connectors/aivectradetect.html connector,aivectradetectama,connectors/aivectradetectama.md,connectors/aivectradetectama.html,Solutions Docs/connectors/aivectradetectama.md,Solutions Docs/connectors/aivectradetectama.html connector,aivectrastream,connectors/aivectrastream.md,connectors/aivectrastream.html,Solutions Docs/connectors/aivectrastream.md,Solutions Docs/connectors/aivectrastream.html +connector,akamaiguardicore,connectors/akamaiguardicore.md,connectors/akamaiguardicore.html,Solutions Docs/connectors/akamaiguardicore.md,Solutions Docs/connectors/akamaiguardicore.html connector,akamaisecurityevents,connectors/akamaisecurityevents.md,connectors/akamaisecurityevents.html,Solutions Docs/connectors/akamaisecurityevents.md,Solutions Docs/connectors/akamaisecurityevents.html connector,akamaisecurityeventsama,connectors/akamaisecurityeventsama.md,connectors/akamaisecurityeventsama.html,Solutions Docs/connectors/akamaisecurityeventsama.md,Solutions Docs/connectors/akamaisecurityeventsama.html connector,alibabacloudnetworkingconnector,connectors/alibabacloudnetworkingconnector.md,connectors/alibabacloudnetworkingconnector.html,Solutions Docs/connectors/alibabacloudnetworkingconnector.md,Solutions Docs/connectors/alibabacloudnetworkingconnector.html @@ -316,6 +319,7 @@ connector,ciscoasa,connectors/ciscoasa.md,connectors/ciscoasa.html,Solutions Doc connector,ciscoasaama,connectors/ciscoasaama.md,connectors/ciscoasaama.html,Solutions Docs/connectors/ciscoasaama.md,Solutions Docs/connectors/ciscoasaama.html connector,ciscoduosecurity,connectors/ciscoduosecurity.md,connectors/ciscoduosecurity.html,Solutions Docs/connectors/ciscoduosecurity.md,Solutions Docs/connectors/ciscoduosecurity.html connector,ciscoetd,connectors/ciscoetd.md,connectors/ciscoetd.html,Solutions Docs/connectors/ciscoetd.md,Solutions Docs/connectors/ciscoetd.html +connector,ciscoetdconnectordefinition,connectors/ciscoetdconnectordefinition.md,connectors/ciscoetdconnectordefinition.html,Solutions Docs/connectors/ciscoetdconnectordefinition.md,Solutions Docs/connectors/ciscoetdconnectordefinition.html connector,ciscofirepowerestreamer,connectors/ciscofirepowerestreamer.md,connectors/ciscofirepowerestreamer.html,Solutions Docs/connectors/ciscofirepowerestreamer.md,Solutions Docs/connectors/ciscofirepowerestreamer.html connector,ciscofirepowerestreamerama,connectors/ciscofirepowerestreamerama.md,connectors/ciscofirepowerestreamerama.html,Solutions Docs/connectors/ciscofirepowerestreamerama.md,Solutions Docs/connectors/ciscofirepowerestreamerama.html connector,ciscoise,connectors/ciscoise.md,connectors/ciscoise.html,Solutions Docs/connectors/ciscoise.md,Solutions Docs/connectors/ciscoise.html @@ -463,6 +467,7 @@ connector,f5ama,connectors/f5ama.md,connectors/f5ama.html,Solutions Docs/connect connector,f5bigip,connectors/f5bigip.md,connectors/f5bigip.html,Solutions Docs/connectors/f5bigip.md,Solutions Docs/connectors/f5bigip.html connector,feedly,connectors/feedly.md,connectors/feedly.html,Solutions Docs/connectors/feedly.md,Solutions Docs/connectors/feedly.html connector,feedlyccpdefinition,connectors/feedlyccpdefinition.md,connectors/feedlyccpdefinition.html,Solutions Docs/connectors/feedlyccpdefinition.md,Solutions Docs/connectors/feedlyccpdefinition.html +connector,fieldeffectccf,connectors/fieldeffectccf.md,connectors/fieldeffectccf.html,Solutions Docs/connectors/fieldeffectccf.md,Solutions Docs/connectors/fieldeffectccf.html connector,filewallm365,connectors/filewallm365.md,connectors/filewallm365.html,Solutions Docs/connectors/filewallm365.md,Solutions Docs/connectors/filewallm365.html connector,fireeyenx,connectors/fireeyenx.md,connectors/fireeyenx.html,Solutions Docs/connectors/fireeyenx.md,Solutions Docs/connectors/fireeyenx.html connector,fireeyenxama,connectors/fireeyenxama.md,connectors/fireeyenxama.html,Solutions Docs/connectors/fireeyenxama.md,Solutions Docs/connectors/fireeyenxama.html @@ -518,6 +523,7 @@ connector,googleworkspaceccpdefinition,connectors/googleworkspaceccpdefinition.m connector,googleworkspacereportsapi,connectors/googleworkspacereportsapi.md,connectors/googleworkspacereportsapi.html,Solutions Docs/connectors/googleworkspacereportsapi.md,Solutions Docs/connectors/googleworkspacereportsapi.html connector,gravityzonedataconnector,connectors/gravityzonedataconnector.md,connectors/gravityzonedataconnector.html,Solutions Docs/connectors/gravityzonedataconnector.md,Solutions Docs/connectors/gravityzonedataconnector.html connector,greynoise2sentinelapi,connectors/greynoise2sentinelapi.md,connectors/greynoise2sentinelapi.html,Solutions Docs/connectors/greynoise2sentinelapi.md,Solutions Docs/connectors/greynoise2sentinelapi.html +connector,gsdetectionalerts,connectors/gsdetectionalerts.md,connectors/gsdetectionalerts.html,Solutions Docs/connectors/gsdetectionalerts.md,Solutions Docs/connectors/gsdetectionalerts.html connector,halcyonpush,connectors/halcyonpush.md,connectors/halcyonpush.html,Solutions Docs/connectors/halcyonpush.md,Solutions Docs/connectors/halcyonpush.html connector,holmsecurityassets,connectors/holmsecurityassets.md,connectors/holmsecurityassets.html,Solutions Docs/connectors/holmsecurityassets.md,Solutions Docs/connectors/holmsecurityassets.html connector,hvpollingidazurefunctions,connectors/hvpollingidazurefunctions.md,connectors/hvpollingidazurefunctions.html,Solutions Docs/connectors/hvpollingidazurefunctions.md,Solutions Docs/connectors/hvpollingidazurefunctions.html @@ -589,6 +595,8 @@ connector,lumenthreatfeedconnector,connectors/lumenthreatfeedconnector.md,connec connector,lumenthreatfeedconnectorv2,connectors/lumenthreatfeedconnectorv2.md,connectors/lumenthreatfeedconnectorv2.html,Solutions Docs/connectors/lumenthreatfeedconnectorv2.md,Solutions Docs/connectors/lumenthreatfeedconnectorv2.html connector,lumenthreatfeedconnectorv2privatenetworking,connectors/lumenthreatfeedconnectorv2privatenetworking.md,connectors/lumenthreatfeedconnectorv2privatenetworking.html,Solutions Docs/connectors/lumenthreatfeedconnectorv2privatenetworking.md,Solutions Docs/connectors/lumenthreatfeedconnectorv2privatenetworking.html connector,m365assets,connectors/m365assets.md,connectors/m365assets.html,Solutions Docs/connectors/m365assets.md,Solutions Docs/connectors/m365assets.html +connector,m365auditdlpccpdefinition,connectors/m365auditdlpccpdefinition.md,connectors/m365auditdlpccpdefinition.html,Solutions Docs/connectors/m365auditdlpccpdefinition.md,Solutions Docs/connectors/m365auditdlpccpdefinition.html +connector,m365auditgeneralccpdefinition,connectors/m365auditgeneralccpdefinition.md,connectors/m365auditgeneralccpdefinition.html,Solutions Docs/connectors/m365auditgeneralccpdefinition.md,Solutions Docs/connectors/m365auditgeneralccpdefinition.html connector,mailguard365,connectors/mailguard365.md,connectors/mailguard365.html,Solutions Docs/connectors/mailguard365.md,Solutions Docs/connectors/mailguard365.html connector,marklogic,connectors/marklogic.md,connectors/marklogic.html,Solutions Docs/connectors/marklogic.md,Solutions Docs/connectors/marklogic.html connector,mcafeeepo,connectors/mcafeeepo.md,connectors/mcafeeepo.html,Solutions Docs/connectors/mcafeeepo.md,Solutions Docs/connectors/mcafeeepo.html @@ -621,6 +629,8 @@ connector,mongodb,connectors/mongodb.md,connectors/mongodb.html,Solutions Docs/c connector,mongodbatlaslogsazurefunctions,connectors/mongodbatlaslogsazurefunctions.md,connectors/mongodbatlaslogsazurefunctions.html,Solutions Docs/connectors/mongodbatlaslogsazurefunctions.md,Solutions Docs/connectors/mongodbatlaslogsazurefunctions.html connector,morphisecccf,connectors/morphisecccf.md,connectors/morphisecccf.html,Solutions Docs/connectors/morphisecccf.md,Solutions Docs/connectors/morphisecccf.html connector,mulesoft,connectors/mulesoft.md,connectors/mulesoft.html,Solutions Docs/connectors/mulesoft.md,Solutions Docs/connectors/mulesoft.html +connector,mulesoftcloudhubconnector,connectors/mulesoftcloudhubconnector.md,connectors/mulesoftcloudhubconnector.html,Solutions Docs/connectors/mulesoftcloudhubconnector.md,Solutions Docs/connectors/mulesoftcloudhubconnector.html +connector,mulesoftcloudhubpushconnector,connectors/mulesoftcloudhubpushconnector.md,connectors/mulesoftcloudhubpushconnector.html,Solutions Docs/connectors/mulesoftcloudhubpushconnector.md,Solutions Docs/connectors/mulesoftcloudhubpushconnector.html connector,nasuniedgeappliance,connectors/nasuniedgeappliance.md,connectors/nasuniedgeappliance.html,Solutions Docs/connectors/nasuniedgeappliance.md,Solutions Docs/connectors/nasuniedgeappliance.html connector,netclean-proactive-incidents,connectors/netclean-proactive-incidents.md,connectors/netclean-proactive-incidents.html,Solutions Docs/connectors/netclean-proactive-incidents.md,Solutions Docs/connectors/netclean-proactive-incidents.html connector,netskope,connectors/netskope.md,connectors/netskope.html,Solutions Docs/connectors/netskope.md,Solutions Docs/connectors/netskope.html @@ -754,6 +764,7 @@ connector,sophosxgfirewall,connectors/sophosxgfirewall.md,connectors/sophosxgfir connector,squadratechnologiessecrmm,connectors/squadratechnologiessecrmm.md,connectors/squadratechnologiessecrmm.html,Solutions Docs/connectors/squadratechnologiessecrmm.md,Solutions Docs/connectors/squadratechnologiessecrmm.html connector,squidproxy,connectors/squidproxy.md,connectors/squidproxy.html,Solutions Docs/connectors/squidproxy.md,Solutions Docs/connectors/squidproxy.html connector,ssg,connectors/ssg.md,connectors/ssg.html,Solutions Docs/connectors/ssg.md,Solutions Docs/connectors/ssg.html +connector,stealthtalkanomalousauth,connectors/stealthtalkanomalousauth.md,connectors/stealthtalkanomalousauth.html,Solutions Docs/connectors/stealthtalkanomalousauth.md,Solutions Docs/connectors/stealthtalkanomalousauth.html connector,stealthwatch,connectors/stealthwatch.md,connectors/stealthwatch.html,Solutions Docs/connectors/stealthwatch.md,Solutions Docs/connectors/stealthwatch.html connector,stridershieldccf,connectors/stridershieldccf.md,connectors/stridershieldccf.html,Solutions Docs/connectors/stridershieldccf.md,Solutions Docs/connectors/stridershieldccf.html connector,styxviewendpointconnectordefinition,connectors/styxviewendpointconnectordefinition.md,connectors/styxviewendpointconnectordefinition.html,Solutions Docs/connectors/styxviewendpointconnectordefinition.md,Solutions Docs/connectors/styxviewendpointconnectordefinition.html @@ -791,7 +802,9 @@ connector,tropicoalertsdefinition,connectors/tropicoalertsdefinition.md,connecto connector,tropicoeventsdefinition,connectors/tropicoeventsdefinition.md,connectors/tropicoeventsdefinition.html,Solutions Docs/connectors/tropicoeventsdefinition.md,Solutions Docs/connectors/tropicoeventsdefinition.html connector,tropicoincidentsdefinition,connectors/tropicoincidentsdefinition.md,connectors/tropicoincidentsdefinition.html,Solutions Docs/connectors/tropicoincidentsdefinition.md,Solutions Docs/connectors/tropicoincidentsdefinition.html connector,ubiquitiunifi,connectors/ubiquitiunifi.md,connectors/ubiquitiunifi.html,Solutions Docs/connectors/ubiquitiunifi.md,Solutions Docs/connectors/ubiquitiunifi.html +connector,unifisitemanagerconnector,connectors/unifisitemanagerconnector.md,connectors/unifisitemanagerconnector.html,Solutions Docs/connectors/unifisitemanagerconnector.md,Solutions Docs/connectors/unifisitemanagerconnector.html connector,upwindlogsloader,connectors/upwindlogsloader.md,connectors/upwindlogsloader.html,Solutions Docs/connectors/upwindlogsloader.md,Solutions Docs/connectors/upwindlogsloader.html +connector,utimacoeskmconnector,connectors/utimacoeskmconnector.md,connectors/utimacoeskmconnector.html,Solutions Docs/connectors/utimacoeskmconnector.md,Solutions Docs/connectors/utimacoeskmconnector.html connector,vaikorasentinel,connectors/vaikorasentinel.md,connectors/vaikorasentinel.html,Solutions Docs/connectors/vaikorasentinel.md,Solutions Docs/connectors/vaikorasentinel.html connector,valencesecurity,connectors/valencesecurity.md,connectors/valencesecurity.html,Solutions Docs/connectors/valencesecurity.md,Solutions Docs/connectors/valencesecurity.html connector,valimailenforceeventsconnector,connectors/valimailenforceeventsconnector.md,connectors/valimailenforceeventsconnector.html,Solutions Docs/connectors/valimailenforceeventsconnector.md,Solutions Docs/connectors/valimailenforceeventsconnector.html @@ -951,6 +964,11 @@ content,aishield-ai-security-monitoring-guardian-token-limit-policy-violation-de content,aishield-ai-security-monitoring-guardian-url-detection-policy-violation-detection-de6f4636-a51a-411d-95d8-4f9099865990-b6cfa7c6,content/aishield-ai-security-monitoring-guardian-url-detection-policy-violation-detection-de6f4636-a51a-411d-95d8-4f9099865990-b6cfa7c6.md,content/aishield-ai-security-monitoring-guardian-url-detection-policy-violation-detection-de6f4636-a51a-411d-95d8-4f9099865990-b6cfa7c6.html,Solutions Docs/content/aishield-ai-security-monitoring-guardian-url-detection-policy-violation-detection-de6f4636-a51a-411d-95d8-4f9099865990-b6cfa7c6.md,Solutions Docs/content/aishield-ai-security-monitoring-guardian-url-detection-policy-violation-detection-de6f4636-a51a-411d-95d8-4f9099865990-b6cfa7c6.html content,aishield-ai-security-monitoring-guardian-url-reachability-policy-violation-detection-93a56919-105a-4ffe-9a8c-4ef6d0b101ac-cb95565e,content/aishield-ai-security-monitoring-guardian-url-reachability-policy-violation-detection-93a56919-105a-4ffe-9a8c-4ef6d0b101ac-cb95565e.md,content/aishield-ai-security-monitoring-guardian-url-reachability-policy-violation-detection-93a56919-105a-4ffe-9a8c-4ef6d0b101ac-cb95565e.html,Solutions Docs/content/aishield-ai-security-monitoring-guardian-url-reachability-policy-violation-detection-93a56919-105a-4ffe-9a8c-4ef6d0b101ac-cb95565e.md,Solutions Docs/content/aishield-ai-security-monitoring-guardian-url-reachability-policy-violation-detection-93a56919-105a-4ffe-9a8c-4ef6d0b101ac-cb95565e.html content,aishield-ai-security-monitoring-guardiandashboard-2e13e015,content/aishield-ai-security-monitoring-guardiandashboard-2e13e015.md,content/aishield-ai-security-monitoring-guardiandashboard-2e13e015.html,Solutions Docs/content/aishield-ai-security-monitoring-guardiandashboard-2e13e015.md,Solutions Docs/content/aishield-ai-security-monitoring-guardiandashboard-2e13e015.html +content,akamai-guardicore-akamai-guardicore-incident-enrichment-—-one-click-bootstrap-397b7ee6,content/akamai-guardicore-akamai-guardicore-incident-enrichment-—-one-click-bootstrap-397b7ee6.md,content/akamai-guardicore-akamai-guardicore-incident-enrichment-—-one-click-bootstrap-397b7ee6.html,Solutions Docs/content/akamai-guardicore-akamai-guardicore-incident-enrichment-—-one-click-bootstrap-397b7ee6.md,Solutions Docs/content/akamai-guardicore-akamai-guardicore-incident-enrichment-—-one-click-bootstrap-397b7ee6.html +content,akamai-guardicore-guardicore-enrichmentrunner-8c6a3647,content/akamai-guardicore-guardicore-enrichmentrunner-8c6a3647.md,content/akamai-guardicore-guardicore-enrichmentrunner-8c6a3647.html,Solutions Docs/content/akamai-guardicore-guardicore-enrichmentrunner-8c6a3647.md,Solutions Docs/content/akamai-guardicore-guardicore-enrichmentrunner-8c6a3647.html +content,akamai-guardicore-guardicore-processincidentenrichment-185057ea,content/akamai-guardicore-guardicore-processincidentenrichment-185057ea.md,content/akamai-guardicore-guardicore-processincidentenrichment-185057ea.html,Solutions Docs/content/akamai-guardicore-guardicore-processincidentenrichment-185057ea.md,Solutions Docs/content/akamai-guardicore-guardicore-processincidentenrichment-185057ea.html +content,akamai-guardicore-guardicoreincident-eaef0237,content/akamai-guardicore-guardicoreincident-eaef0237.md,content/akamai-guardicore-guardicoreincident-eaef0237.html,Solutions Docs/content/akamai-guardicore-guardicoreincident-eaef0237.md,Solutions Docs/content/akamai-guardicore-guardicoreincident-eaef0237.html +content,akamai-guardicore-guardicoreinfo-922f455f,content/akamai-guardicore-guardicoreinfo-922f455f.md,content/akamai-guardicore-guardicoreinfo-922f455f.html,Solutions Docs/content/akamai-guardicore-guardicoreinfo-922f455f.md,Solutions Docs/content/akamai-guardicore-guardicoreinfo-922f455f.html content,alsid-for-ad-alsid-active-directory-attacks-pathways-9649e203-3cb7-47ff-89a9-42f2a5eefe31-b1b754b8,content/alsid-for-ad-alsid-active-directory-attacks-pathways-9649e203-3cb7-47ff-89a9-42f2a5eefe31-b1b754b8.md,content/alsid-for-ad-alsid-active-directory-attacks-pathways-9649e203-3cb7-47ff-89a9-42f2a5eefe31-b1b754b8.html,Solutions Docs/content/alsid-for-ad-alsid-active-directory-attacks-pathways-9649e203-3cb7-47ff-89a9-42f2a5eefe31-b1b754b8.md,Solutions Docs/content/alsid-for-ad-alsid-active-directory-attacks-pathways-9649e203-3cb7-47ff-89a9-42f2a5eefe31-b1b754b8.html content,alsid-for-ad-alsid-dcshadow-25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c-a4a36fc9,content/alsid-for-ad-alsid-dcshadow-25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c-a4a36fc9.md,content/alsid-for-ad-alsid-dcshadow-25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c-a4a36fc9.html,Solutions Docs/content/alsid-for-ad-alsid-dcshadow-25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c-a4a36fc9.md,Solutions Docs/content/alsid-for-ad-alsid-dcshadow-25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c-a4a36fc9.html content,alsid-for-ad-alsid-dcsync-d3c658bd-8da9-4372-82e4-aaffa922f428-5a769a8c,content/alsid-for-ad-alsid-dcsync-d3c658bd-8da9-4372-82e4-aaffa922f428-5a769a8c.md,content/alsid-for-ad-alsid-dcsync-d3c658bd-8da9-4372-82e4-aaffa922f428-5a769a8c.html,Solutions Docs/content/alsid-for-ad-alsid-dcsync-d3c658bd-8da9-4372-82e4-aaffa922f428-5a769a8c.md,Solutions Docs/content/alsid-for-ad-alsid-dcsync-d3c658bd-8da9-4372-82e4-aaffa922f428-5a769a8c.html @@ -2655,6 +2673,7 @@ content,farsight-dnsdb-dnsdb-co-located-hosts-9bee0918,content/farsight-dnsdb-dn content,farsight-dnsdb-dnsdb-co-located-ip-address-d423f44e,content/farsight-dnsdb-dnsdb-co-located-ip-address-d423f44e.md,content/farsight-dnsdb-dnsdb-co-located-ip-address-d423f44e.html,Solutions Docs/content/farsight-dnsdb-dnsdb-co-located-ip-address-d423f44e.md,Solutions Docs/content/farsight-dnsdb-dnsdb-co-located-ip-address-d423f44e.html content,farsight-dnsdb-dnsdb-historical-address-24651485,content/farsight-dnsdb-dnsdb-historical-address-24651485.md,content/farsight-dnsdb-dnsdb-historical-address-24651485.html,Solutions Docs/content/farsight-dnsdb-dnsdb-historical-address-24651485.md,Solutions Docs/content/farsight-dnsdb-dnsdb-historical-address-24651485.html content,farsight-dnsdb-dnsdb-historical-hosts-aa4260fc,content/farsight-dnsdb-dnsdb-historical-hosts-aa4260fc.md,content/farsight-dnsdb-dnsdb-historical-hosts-aa4260fc.html,Solutions Docs/content/farsight-dnsdb-dnsdb-historical-hosts-aa4260fc.md,Solutions Docs/content/farsight-dnsdb-dnsdb-historical-hosts-aa4260fc.html +content,fieldeffectmdr-field-effect-mdr-alert-aro-alert-6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11-86e91283,content/fieldeffectmdr-field-effect-mdr-alert-aro-alert-6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11-86e91283.md,content/fieldeffectmdr-field-effect-mdr-alert-aro-alert-6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11-86e91283.html,Solutions Docs/content/fieldeffectmdr-field-effect-mdr-alert-aro-alert-6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11-86e91283.md,Solutions Docs/content/fieldeffectmdr-field-effect-mdr-alert-aro-alert-6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11-86e91283.html content,filewall-for-microsoft-365-filewall-blocked-emails-9b784b65-2d16-4c9f-9f59-2a5d4c659f42-395f5a5b,content/filewall-for-microsoft-365-filewall-blocked-emails-9b784b65-2d16-4c9f-9f59-2a5d4c659f42-395f5a5b.md,content/filewall-for-microsoft-365-filewall-blocked-emails-9b784b65-2d16-4c9f-9f59-2a5d4c659f42-395f5a5b.html,Solutions Docs/content/filewall-for-microsoft-365-filewall-blocked-emails-9b784b65-2d16-4c9f-9f59-2a5d4c659f42-395f5a5b.md,Solutions Docs/content/filewall-for-microsoft-365-filewall-blocked-emails-9b784b65-2d16-4c9f-9f59-2a5d4c659f42-395f5a5b.html content,filewall-for-microsoft-365-filewall-blocked-files-86e7f6fd-5c29-4a3a-bced-3eca3fb0c621-7c0054b4,content/filewall-for-microsoft-365-filewall-blocked-files-86e7f6fd-5c29-4a3a-bced-3eca3fb0c621-7c0054b4.md,content/filewall-for-microsoft-365-filewall-blocked-files-86e7f6fd-5c29-4a3a-bced-3eca3fb0c621-7c0054b4.html,Solutions Docs/content/filewall-for-microsoft-365-filewall-blocked-files-86e7f6fd-5c29-4a3a-bced-3eca3fb0c621-7c0054b4.md,Solutions Docs/content/filewall-for-microsoft-365-filewall-blocked-files-86e7f6fd-5c29-4a3a-bced-3eca3fb0c621-7c0054b4.html content,filewall-for-microsoft-365-filewallm365overview-90daf6a7,content/filewall-for-microsoft-365-filewallm365overview-90daf6a7.md,content/filewall-for-microsoft-365-filewallm365overview-90daf6a7.html,Solutions Docs/content/filewall-for-microsoft-365-filewallm365overview-90daf6a7.md,Solutions Docs/content/filewall-for-microsoft-365-filewallm365overview-90daf6a7.html @@ -4140,6 +4159,10 @@ content,googlecloudplatformiam-gcp-iam-top-source-ip-addresses-with-failed-actio content,googledirectory-google-directory-enrich-incident-with-user-info-b9764ee5,content/googledirectory-google-directory-enrich-incident-with-user-info-b9764ee5.md,content/googledirectory-google-directory-enrich-incident-with-user-info-b9764ee5.html,Solutions Docs/content/googledirectory-google-directory-enrich-incident-with-user-info-b9764ee5.md,Solutions Docs/content/googledirectory-google-directory-enrich-incident-with-user-info-b9764ee5.html content,googledirectory-google-directory-sign-out-user-d3f73d66,content/googledirectory-google-directory-sign-out-user-d3f73d66.md,content/googledirectory-google-directory-sign-out-user-d3f73d66.html,Solutions Docs/content/googledirectory-google-directory-sign-out-user-d3f73d66.md,Solutions Docs/content/googledirectory-google-directory-sign-out-user-d3f73d66.html content,googledirectory-google-directory-suspend-user-ed8afb0c,content/googledirectory-google-directory-suspend-user-ed8afb0c.md,content/googledirectory-google-directory-suspend-user-ed8afb0c.html,Solutions Docs/content/googledirectory-google-directory-suspend-user-ed8afb0c.md,Solutions Docs/content/googledirectory-google-directory-suspend-user-ed8afb0c.html +content,googlesecops-google-secops-detection-alerts-f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a-5c1e3e3b,content/googlesecops-google-secops-detection-alerts-f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a-5c1e3e3b.md,content/googlesecops-google-secops-detection-alerts-f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a-5c1e3e3b.html,Solutions Docs/content/googlesecops-google-secops-detection-alerts-f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a-5c1e3e3b.md,Solutions Docs/content/googlesecops-google-secops-detection-alerts-f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a-5c1e3e3b.html +content,googlesecops-google-secops-gcti-threat-intelligence-finding-b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f-d7741376,content/googlesecops-google-secops-gcti-threat-intelligence-finding-b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f-d7741376.md,content/googlesecops-google-secops-gcti-threat-intelligence-finding-b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f-d7741376.html,Solutions Docs/content/googlesecops-google-secops-gcti-threat-intelligence-finding-b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f-d7741376.md,Solutions Docs/content/googlesecops-google-secops-gcti-threat-intelligence-finding-b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f-d7741376.html +content,googlesecops-google-secops-multi-event-correlated-alert-d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e-b1a07461,content/googlesecops-google-secops-multi-event-correlated-alert-d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e-b1a07461.md,content/googlesecops-google-secops-multi-event-correlated-alert-d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e-b1a07461.html,Solutions Docs/content/googlesecops-google-secops-multi-event-correlated-alert-d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e-b1a07461.md,Solutions Docs/content/googlesecops-google-secops-multi-event-correlated-alert-d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e-b1a07461.html +content,googlesecops-google-secops-single-event-alert-e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f-4b55b757,content/googlesecops-google-secops-single-event-alert-e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f-4b55b757.md,content/googlesecops-google-secops-single-event-alert-e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f-4b55b757.html,Solutions Docs/content/googlesecops-google-secops-single-event-alert-e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f-4b55b757.md,Solutions Docs/content/googlesecops-google-secops-single-event-alert-e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f-4b55b757.html content,googleworkspacereports-googleworkspace-6948e392,content/googleworkspacereports-googleworkspace-6948e392.md,content/googleworkspacereports-googleworkspace-6948e392.html,Solutions Docs/content/googleworkspacereports-googleworkspace-6948e392.md,Solutions Docs/content/googleworkspacereports-googleworkspace-6948e392.html content,googleworkspacereports-gworkspace-admin-permissions-granted-03f25156-6172-11ec-90d6-0242ac120003-8b9cd6f1,content/googleworkspacereports-gworkspace-admin-permissions-granted-03f25156-6172-11ec-90d6-0242ac120003-8b9cd6f1.md,content/googleworkspacereports-gworkspace-admin-permissions-granted-03f25156-6172-11ec-90d6-0242ac120003-8b9cd6f1.html,Solutions Docs/content/googleworkspacereports-gworkspace-admin-permissions-granted-03f25156-6172-11ec-90d6-0242ac120003-8b9cd6f1.md,Solutions Docs/content/googleworkspacereports-gworkspace-admin-permissions-granted-03f25156-6172-11ec-90d6-0242ac120003-8b9cd6f1.html content,googleworkspacereports-gworkspace-alert-events-e369d246-5da8-11ec-bf63-0242ac130002-80adb373,content/googleworkspacereports-gworkspace-alert-events-e369d246-5da8-11ec-bf63-0242ac130002-80adb373.md,content/googleworkspacereports-gworkspace-alert-events-e369d246-5da8-11ec-bf63-0242ac130002-80adb373.html,Solutions Docs/content/googleworkspacereports-gworkspace-alert-events-e369d246-5da8-11ec-bf63-0242ac130002-80adb373.md,Solutions Docs/content/googleworkspacereports-gworkspace-alert-events-e369d246-5da8-11ec-bf63-0242ac130002-80adb373.html @@ -5803,6 +5826,8 @@ content,sap-btp-btp-user-added-to-sensitive-privileged-role-collection-5acbe4cb- content,sap-btp-sapbtpactivity-8f5b3a2b,content/sap-btp-sapbtpactivity-8f5b3a2b.md,content/sap-btp-sapbtpactivity-8f5b3a2b.html,Solutions Docs/content/sap-btp-sapbtpactivity-8f5b3a2b.md,Solutions Docs/content/sap-btp-sapbtpactivity-8f5b3a2b.html content,sap-etd-cloud-sap-etd-execution-of-sensitive-function-module-c6111e06-11e2-45eb-86ef-28313a06db35-96b35578,content/sap-etd-cloud-sap-etd-execution-of-sensitive-function-module-c6111e06-11e2-45eb-86ef-28313a06db35-96b35578.md,content/sap-etd-cloud-sap-etd-execution-of-sensitive-function-module-c6111e06-11e2-45eb-86ef-28313a06db35-96b35578.html,Solutions Docs/content/sap-etd-cloud-sap-etd-execution-of-sensitive-function-module-c6111e06-11e2-45eb-86ef-28313a06db35-96b35578.md,Solutions Docs/content/sap-etd-cloud-sap-etd-execution-of-sensitive-function-module-c6111e06-11e2-45eb-86ef-28313a06db35-96b35578.html content,sap-etd-cloud-sap-etd-login-from-unexpected-network-5dd72ebe-03ac-43ac-851b-68cfe5106e4f-bc0de3f5,content/sap-etd-cloud-sap-etd-login-from-unexpected-network-5dd72ebe-03ac-43ac-851b-68cfe5106e4f-bc0de3f5.md,content/sap-etd-cloud-sap-etd-login-from-unexpected-network-5dd72ebe-03ac-43ac-851b-68cfe5106e4f-bc0de3f5.html,Solutions Docs/content/sap-etd-cloud-sap-etd-login-from-unexpected-network-5dd72ebe-03ac-43ac-851b-68cfe5106e4f-bc0de3f5.md,Solutions Docs/content/sap-etd-cloud-sap-etd-login-from-unexpected-network-5dd72ebe-03ac-43ac-851b-68cfe5106e4f-bc0de3f5.html +content,sap-etd-cloud-sap-etd-no-new-data-received-a9206c5a-3e72-4c10-807f-313a56075b20-e0dd0f13,content/sap-etd-cloud-sap-etd-no-new-data-received-a9206c5a-3e72-4c10-807f-313a56075b20-e0dd0f13.md,content/sap-etd-cloud-sap-etd-no-new-data-received-a9206c5a-3e72-4c10-807f-313a56075b20-e0dd0f13.html,Solutions Docs/content/sap-etd-cloud-sap-etd-no-new-data-received-a9206c5a-3e72-4c10-807f-313a56075b20-e0dd0f13.md,Solutions Docs/content/sap-etd-cloud-sap-etd-no-new-data-received-a9206c5a-3e72-4c10-807f-313a56075b20-e0dd0f13.html +content,sap-etd-cloud-sap-etd-sap-system-stopped-reporting-data-b1413b43-9410-46f4-94d9-da507105d834-06d70879,content/sap-etd-cloud-sap-etd-sap-system-stopped-reporting-data-b1413b43-9410-46f4-94d9-da507105d834-06d70879.md,content/sap-etd-cloud-sap-etd-sap-system-stopped-reporting-data-b1413b43-9410-46f4-94d9-da507105d834-06d70879.html,Solutions Docs/content/sap-etd-cloud-sap-etd-sap-system-stopped-reporting-data-b1413b43-9410-46f4-94d9-da507105d834-06d70879.md,Solutions Docs/content/sap-etd-cloud-sap-etd-sap-system-stopped-reporting-data-b1413b43-9410-46f4-94d9-da507105d834-06d70879.html content,sap-etd-cloud-sap-etd-synch-alerts-7a830484-e349-4527-85f6-7850c468c238-8305da5b,content/sap-etd-cloud-sap-etd-synch-alerts-7a830484-e349-4527-85f6-7850c468c238-8305da5b.md,content/sap-etd-cloud-sap-etd-synch-alerts-7a830484-e349-4527-85f6-7850c468c238-8305da5b.html,Solutions Docs/content/sap-etd-cloud-sap-etd-synch-alerts-7a830484-e349-4527-85f6-7850c468c238-8305da5b.md,Solutions Docs/content/sap-etd-cloud-sap-etd-synch-alerts-7a830484-e349-4527-85f6-7850c468c238-8305da5b.html content,sap-etd-cloud-sap-etd-synch-investigations-5096db53-fad3-4844-a264-246f7b7e6e06-9c9e9b19,content/sap-etd-cloud-sap-etd-synch-investigations-5096db53-fad3-4844-a264-246f7b7e6e06-9c9e9b19.md,content/sap-etd-cloud-sap-etd-synch-investigations-5096db53-fad3-4844-a264-246f7b7e6e06-9c9e9b19.html,Solutions Docs/content/sap-etd-cloud-sap-etd-synch-investigations-5096db53-fad3-4844-a264-246f7b7e6e06-9c9e9b19.md,Solutions Docs/content/sap-etd-cloud-sap-etd-synch-investigations-5096db53-fad3-4844-a264-246f7b7e6e06-9c9e9b19.html content,sap-logserv-sap-logserv-hana-db-assign-admin-authorizations-4981469b-8618-43a7-b44c-5744594fa494-5de53ca7,content/sap-logserv-sap-logserv-hana-db-assign-admin-authorizations-4981469b-8618-43a7-b44c-5744594fa494-5de53ca7.md,content/sap-logserv-sap-logserv-hana-db-assign-admin-authorizations-4981469b-8618-43a7-b44c-5744594fa494-5de53ca7.html,Solutions Docs/content/sap-logserv-sap-logserv-hana-db-assign-admin-authorizations-4981469b-8618-43a7-b44c-5744594fa494-5de53ca7.md,Solutions Docs/content/sap-logserv-sap-logserv-hana-db-assign-admin-authorizations-4981469b-8618-43a7-b44c-5744594fa494-5de53ca7.html @@ -6559,6 +6584,15 @@ content,standalone-content-zscalardnseventsipsummary-260f16fc-4734-4635-babd-ba3 content,standalone-content-zscalarnetworksessionipsummary-6457ab65-69ea-4444-981d-1ecaf414fda7-39b1aedb,content/standalone-content-zscalarnetworksessionipsummary-6457ab65-69ea-4444-981d-1ecaf414fda7-39b1aedb.md,content/standalone-content-zscalarnetworksessionipsummary-6457ab65-69ea-4444-981d-1ecaf414fda7-39b1aedb.html,Solutions Docs/content/standalone-content-zscalarnetworksessionipsummary-6457ab65-69ea-4444-981d-1ecaf414fda7-39b1aedb.md,Solutions Docs/content/standalone-content-zscalarnetworksessionipsummary-6457ab65-69ea-4444-981d-1ecaf414fda7-39b1aedb.html content,standalone-content-zscalarwebsessionipsummary-b45e1d40-58c0-4f6c-83f0-1019c9237cb4-2a3569a7,content/standalone-content-zscalarwebsessionipsummary-b45e1d40-58c0-4f6c-83f0-1019c9237cb4-2a3569a7.md,content/standalone-content-zscalarwebsessionipsummary-b45e1d40-58c0-4f6c-83f0-1019c9237cb4-2a3569a7.html,Solutions Docs/content/standalone-content-zscalarwebsessionipsummary-b45e1d40-58c0-4f6c-83f0-1019c9237cb4-2a3569a7.md,Solutions Docs/content/standalone-content-zscalarwebsessionipsummary-b45e1d40-58c0-4f6c-83f0-1019c9237cb4-2a3569a7.html content,standalone-content-zscaler-url-category-lookup-92bad5b5,content/standalone-content-zscaler-url-category-lookup-92bad5b5.md,content/standalone-content-zscaler-url-category-lookup-92bad5b5.html,Solutions Docs/content/standalone-content-zscaler-url-category-lookup-92bad5b5.md,Solutions Docs/content/standalone-content-zscaler-url-category-lookup-92bad5b5.html +content,stealthtalk-stealthtalk-account-takeover-sequence-d2e5f8a3-9c4b-4d7e-8f6a-3b2c4d5e6f7a-412a3fc8,content/stealthtalk-stealthtalk-account-takeover-sequence-d2e5f8a3-9c4b-4d7e-8f6a-3b2c4d5e6f7a-412a3fc8.md,content/stealthtalk-stealthtalk-account-takeover-sequence-d2e5f8a3-9c4b-4d7e-8f6a-3b2c4d5e6f7a-412a3fc8.html,Solutions Docs/content/stealthtalk-stealthtalk-account-takeover-sequence-d2e5f8a3-9c4b-4d7e-8f6a-3b2c4d5e6f7a-412a3fc8.md,Solutions Docs/content/stealthtalk-stealthtalk-account-takeover-sequence-d2e5f8a3-9c4b-4d7e-8f6a-3b2c4d5e6f7a-412a3fc8.html +content,stealthtalk-stealthtalk-after-hours-work-e3a8b2f1-5c7d-4d89-9b6e-0f1a2c3d4e5f-f70b1be5,content/stealthtalk-stealthtalk-after-hours-work-e3a8b2f1-5c7d-4d89-9b6e-0f1a2c3d4e5f-f70b1be5.md,content/stealthtalk-stealthtalk-after-hours-work-e3a8b2f1-5c7d-4d89-9b6e-0f1a2c3d4e5f-f70b1be5.html,Solutions Docs/content/stealthtalk-stealthtalk-after-hours-work-e3a8b2f1-5c7d-4d89-9b6e-0f1a2c3d4e5f-f70b1be5.md,Solutions Docs/content/stealthtalk-stealthtalk-after-hours-work-e3a8b2f1-5c7d-4d89-9b6e-0f1a2c3d4e5f-f70b1be5.html +content,stealthtalk-stealthtalk-alert-to-microsoft-teams-a29da8d6,content/stealthtalk-stealthtalk-alert-to-microsoft-teams-a29da8d6.md,content/stealthtalk-stealthtalk-alert-to-microsoft-teams-a29da8d6.html,Solutions Docs/content/stealthtalk-stealthtalk-alert-to-microsoft-teams-a29da8d6.md,Solutions Docs/content/stealthtalk-stealthtalk-alert-to-microsoft-teams-a29da8d6.html +content,stealthtalk-stealthtalk-brute-force-followed-by-suspicious-access-e3f6a9b4-ad5c-4e8f-9a7b-4c3d5e6f7a8b-13cf45fe,content/stealthtalk-stealthtalk-brute-force-followed-by-suspicious-access-e3f6a9b4-ad5c-4e8f-9a7b-4c3d5e6f7a8b-13cf45fe.md,content/stealthtalk-stealthtalk-brute-force-followed-by-suspicious-access-e3f6a9b4-ad5c-4e8f-9a7b-4c3d5e6f7a8b-13cf45fe.html,Solutions Docs/content/stealthtalk-stealthtalk-brute-force-followed-by-suspicious-access-e3f6a9b4-ad5c-4e8f-9a7b-4c3d5e6f7a8b-13cf45fe.md,Solutions Docs/content/stealthtalk-stealthtalk-brute-force-followed-by-suspicious-access-e3f6a9b4-ad5c-4e8f-9a7b-4c3d5e6f7a8b-13cf45fe.html +content,stealthtalk-stealthtalk-impossible-travel-c1d4e7f2-8b3a-4c6d-9e5f-2a1b3c4d5e6f-22aa12ef,content/stealthtalk-stealthtalk-impossible-travel-c1d4e7f2-8b3a-4c6d-9e5f-2a1b3c4d5e6f-22aa12ef.md,content/stealthtalk-stealthtalk-impossible-travel-c1d4e7f2-8b3a-4c6d-9e5f-2a1b3c4d5e6f-22aa12ef.html,Solutions Docs/content/stealthtalk-stealthtalk-impossible-travel-c1d4e7f2-8b3a-4c6d-9e5f-2a1b3c4d5e6f-22aa12ef.md,Solutions Docs/content/stealthtalk-stealthtalk-impossible-travel-c1d4e7f2-8b3a-4c6d-9e5f-2a1b3c4d5e6f-22aa12ef.html +content,stealthtalk-stealthtalk-login-outside-work-zone-a7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c-f2762d8d,content/stealthtalk-stealthtalk-login-outside-work-zone-a7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c-f2762d8d.md,content/stealthtalk-stealthtalk-login-outside-work-zone-a7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c-f2762d8d.html,Solutions Docs/content/stealthtalk-stealthtalk-login-outside-work-zone-a7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c-f2762d8d.md,Solutions Docs/content/stealthtalk-stealthtalk-login-outside-work-zone-a7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c-f2762d8d.html +content,stealthtalk-stealthtalk-multi-new-devices-registration-f9d4c2a8-1b6e-4a3f-9c7d-8e2b1a3c5d7e-8e98d5a7,content/stealthtalk-stealthtalk-multi-new-devices-registration-f9d4c2a8-1b6e-4a3f-9c7d-8e2b1a3c5d7e-8e98d5a7.md,content/stealthtalk-stealthtalk-multi-new-devices-registration-f9d4c2a8-1b6e-4a3f-9c7d-8e2b1a3c5d7e-8e98d5a7.html,Solutions Docs/content/stealthtalk-stealthtalk-multi-new-devices-registration-f9d4c2a8-1b6e-4a3f-9c7d-8e2b1a3c5d7e-8e98d5a7.md,Solutions Docs/content/stealthtalk-stealthtalk-multi-new-devices-registration-f9d4c2a8-1b6e-4a3f-9c7d-8e2b1a3c5d7e-8e98d5a7.html +content,stealthtalk-stealthtalk-password-brute-force-b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b-057ae82f,content/stealthtalk-stealthtalk-password-brute-force-b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b-057ae82f.md,content/stealthtalk-stealthtalk-password-brute-force-b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b-057ae82f.html,Solutions Docs/content/stealthtalk-stealthtalk-password-brute-force-b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b-057ae82f.md,Solutions Docs/content/stealthtalk-stealthtalk-password-brute-force-b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b-057ae82f.html +content,stealthtalk-stealthtalkanomalousauthmonitor-66e563fa,content/stealthtalk-stealthtalkanomalousauthmonitor-66e563fa.md,content/stealthtalk-stealthtalkanomalousauthmonitor-66e563fa.html,Solutions Docs/content/stealthtalk-stealthtalkanomalousauthmonitor-66e563fa.md,Solutions Docs/content/stealthtalk-stealthtalkanomalousauthmonitor-66e563fa.html content,summary-rules,content/summary-rules.md,content/summary-rules.html,Solutions Docs/content/summary-rules.md,Solutions Docs/content/summary-rules.html content,symantec-endpoint-protection-excessive-blocked-traffic-events-generated-by-user-fa0ab69c-7124-4f62-acdd-61017cf6ce89-abbc5183,content/symantec-endpoint-protection-excessive-blocked-traffic-events-generated-by-user-fa0ab69c-7124-4f62-acdd-61017cf6ce89-abbc5183.md,content/symantec-endpoint-protection-excessive-blocked-traffic-events-generated-by-user-fa0ab69c-7124-4f62-acdd-61017cf6ce89-abbc5183.html,Solutions Docs/content/symantec-endpoint-protection-excessive-blocked-traffic-events-generated-by-user-fa0ab69c-7124-4f62-acdd-61017cf6ce89-abbc5183.md,Solutions Docs/content/symantec-endpoint-protection-excessive-blocked-traffic-events-generated-by-user-fa0ab69c-7124-4f62-acdd-61017cf6ce89-abbc5183.html content,symantec-endpoint-protection-malware-detected-072ee087-17e1-474d-b162-bbe38bcab9f9-b5192972,content/symantec-endpoint-protection-malware-detected-072ee087-17e1-474d-b162-bbe38bcab9f9-b5192972.md,content/symantec-endpoint-protection-malware-detected-072ee087-17e1-474d-b162-bbe38bcab9f9-b5192972.html,Solutions Docs/content/symantec-endpoint-protection-malware-detected-072ee087-17e1-474d-b162-bbe38bcab9f9-b5192972.md,Solutions Docs/content/symantec-endpoint-protection-malware-detected-072ee087-17e1-474d-b162-bbe38bcab9f9-b5192972.html @@ -6919,9 +6953,48 @@ content,ueba-essentials-top-anomalous-source-ip-triage-e1f2a3b4-c5d6-7890-1234-a content,ueba-essentials-ueba-multi-source-anomalous-activity-overview-b2c3d4e5-f6g7-8901-bcde-fg2345678901-43dc4d3b,content/ueba-essentials-ueba-multi-source-anomalous-activity-overview-b2c3d4e5-f6g7-8901-bcde-fg2345678901-43dc4d3b.md,content/ueba-essentials-ueba-multi-source-anomalous-activity-overview-b2c3d4e5-f6g7-8901-bcde-fg2345678901-43dc4d3b.html,Solutions Docs/content/ueba-essentials-ueba-multi-source-anomalous-activity-overview-b2c3d4e5-f6g7-8901-bcde-fg2345678901-43dc4d3b.md,Solutions Docs/content/ueba-essentials-ueba-multi-source-anomalous-activity-overview-b2c3d4e5-f6g7-8901-bcde-fg2345678901-43dc4d3b.html content,ueba-essentials-uebabehaviorsanalysisworkbook-c444e4d9,content/ueba-essentials-uebabehaviorsanalysisworkbook-c444e4d9.md,content/ueba-essentials-uebabehaviorsanalysisworkbook-c444e4d9.html,Solutions Docs/content/ueba-essentials-uebabehaviorsanalysisworkbook-c444e4d9.md,Solutions Docs/content/ueba-essentials-uebabehaviorsanalysisworkbook-c444e4d9.html content,ueba-essentials-user-centric-anomaly-investigation-c9d0e1f2-a3b4-5678-9012-cdef34567890-0fcdf7d4,content/ueba-essentials-user-centric-anomaly-investigation-c9d0e1f2-a3b4-5678-9012-cdef34567890-0fcdf7d4.md,content/ueba-essentials-user-centric-anomaly-investigation-c9d0e1f2-a3b4-5678-9012-cdef34567890-0fcdf7d4.html,Solutions Docs/content/ueba-essentials-user-centric-anomaly-investigation-c9d0e1f2-a3b4-5678-9012-cdef34567890-0fcdf7d4.md,Solutions Docs/content/ueba-essentials-user-centric-anomaly-investigation-c9d0e1f2-a3b4-5678-9012-cdef34567890-0fcdf7d4.html +content,unifi-site-manager-ccf-unifi-site-manager-console-firmware-likely-security-relevant-4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d-efd1cdee,content/unifi-site-manager-ccf-unifi-site-manager-console-firmware-likely-security-relevant-4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d-efd1cdee.md,content/unifi-site-manager-ccf-unifi-site-manager-console-firmware-likely-security-relevant-4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d-efd1cdee.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-console-firmware-likely-security-relevant-4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d-efd1cdee.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-console-firmware-likely-security-relevant-4f7b9e6c-5d1a-4392-8c2b-3e4f5a6b7c8d-efd1cdee.html +content,unifi-site-manager-ccf-unifi-site-manager-console-group-membership-churn-8e22eb19-51df-37f7-468f-9d112fff9098-98a99608,content/unifi-site-manager-ccf-unifi-site-manager-console-group-membership-churn-8e22eb19-51df-37f7-468f-9d112fff9098-98a99608.md,content/unifi-site-manager-ccf-unifi-site-manager-console-group-membership-churn-8e22eb19-51df-37f7-468f-9d112fff9098-98a99608.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-console-group-membership-churn-8e22eb19-51df-37f7-468f-9d112fff9098-98a99608.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-console-group-membership-churn-8e22eb19-51df-37f7-468f-9d112fff9098-98a99608.html +content,unifi-site-manager-ccf-unifi-site-manager-controller-connection-state-change-ac1efe0f-654e-264e-07be-c1b60e698343-3c91e6f0,content/unifi-site-manager-ccf-unifi-site-manager-controller-connection-state-change-ac1efe0f-654e-264e-07be-c1b60e698343-3c91e6f0.md,content/unifi-site-manager-ccf-unifi-site-manager-controller-connection-state-change-ac1efe0f-654e-264e-07be-c1b60e698343-3c91e6f0.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-controller-connection-state-change-ac1efe0f-654e-264e-07be-c1b60e698343-3c91e6f0.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-controller-connection-state-change-ac1efe0f-654e-264e-07be-c1b60e698343-3c91e6f0.html +content,unifi-site-manager-ccf-unifi-site-manager-data-connector-health-1fb5c195-9bff-e18b-3e8f-5123f46bff9d-d7ce8ffe,content/unifi-site-manager-ccf-unifi-site-manager-data-connector-health-1fb5c195-9bff-e18b-3e8f-5123f46bff9d-d7ce8ffe.md,content/unifi-site-manager-ccf-unifi-site-manager-data-connector-health-1fb5c195-9bff-e18b-3e8f-5123f46bff9d-d7ce8ffe.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-data-connector-health-1fb5c195-9bff-e18b-3e8f-5123f46bff9d-d7ce8ffe.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-data-connector-health-1fb5c195-9bff-e18b-3e8f-5123f46bff9d-d7ce8ffe.html +content,unifi-site-manager-ccf-unifi-site-manager-device-offline-f3fa4f3f-c8db-ae35-ee06-04de2dfac511-4e587b03,content/unifi-site-manager-ccf-unifi-site-manager-device-offline-f3fa4f3f-c8db-ae35-ee06-04de2dfac511-4e587b03.md,content/unifi-site-manager-ccf-unifi-site-manager-device-offline-f3fa4f3f-c8db-ae35-ee06-04de2dfac511-4e587b03.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-device-offline-f3fa4f3f-c8db-ae35-ee06-04de2dfac511-4e587b03.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-device-offline-f3fa4f3f-c8db-ae35-ee06-04de2dfac511-4e587b03.html +content,unifi-site-manager-ccf-unifi-site-manager-devices-adopted-outside-business-hours-77bba2d0-92e1-408d-9e43-2d6e5e81538e-a47bd3d1,content/unifi-site-manager-ccf-unifi-site-manager-devices-adopted-outside-business-hours-77bba2d0-92e1-408d-9e43-2d6e5e81538e-a47bd3d1.md,content/unifi-site-manager-ccf-unifi-site-manager-devices-adopted-outside-business-hours-77bba2d0-92e1-408d-9e43-2d6e5e81538e-a47bd3d1.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-devices-adopted-outside-business-hours-77bba2d0-92e1-408d-9e43-2d6e5e81538e-a47bd3d1.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-devices-adopted-outside-business-hours-77bba2d0-92e1-408d-9e43-2d6e5e81538e-a47bd3d1.html +content,unifi-site-manager-ccf-unifi-site-manager-devices-flapping-online-offline-0f489145-b472-a821-a166-a6c68e346ad2-e0d5ccfa,content/unifi-site-manager-ccf-unifi-site-manager-devices-flapping-online-offline-0f489145-b472-a821-a166-a6c68e346ad2-e0d5ccfa.md,content/unifi-site-manager-ccf-unifi-site-manager-devices-flapping-online-offline-0f489145-b472-a821-a166-a6c68e346ad2-e0d5ccfa.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-devices-flapping-online-offline-0f489145-b472-a821-a166-a6c68e346ad2-e0d5ccfa.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-devices-flapping-online-offline-0f489145-b472-a821-a166-a6c68e346ad2-e0d5ccfa.html +content,unifi-site-manager-ccf-unifi-site-manager-external-wan-ip-changed-ef1a293a-9e2b-b087-7816-2610814ed2d4-3737ecc9,content/unifi-site-manager-ccf-unifi-site-manager-external-wan-ip-changed-ef1a293a-9e2b-b087-7816-2610814ed2d4-3737ecc9.md,content/unifi-site-manager-ccf-unifi-site-manager-external-wan-ip-changed-ef1a293a-9e2b-b087-7816-2610814ed2d4-3737ecc9.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-external-wan-ip-changed-ef1a293a-9e2b-b087-7816-2610814ed2d4-3737ecc9.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-external-wan-ip-changed-ef1a293a-9e2b-b087-7816-2610814ed2d4-3737ecc9.html +content,unifi-site-manager-ccf-unifi-site-manager-firmware-drift-hotspots-1d767977-460a-29c3-06f7-799a91a80daf-98dd6640,content/unifi-site-manager-ccf-unifi-site-manager-firmware-drift-hotspots-1d767977-460a-29c3-06f7-799a91a80daf-98dd6640.md,content/unifi-site-manager-ccf-unifi-site-manager-firmware-drift-hotspots-1d767977-460a-29c3-06f7-799a91a80daf-98dd6640.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-firmware-drift-hotspots-1d767977-460a-29c3-06f7-799a91a80daf-98dd6640.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-firmware-drift-hotspots-1d767977-460a-29c3-06f7-799a91a80daf-98dd6640.html +content,unifi-site-manager-ccf-unifi-site-manager-firmware-update-available-83b88ab5-21ca-5dd2-df91-6db4354f9360-7a3c48d6,content/unifi-site-manager-ccf-unifi-site-manager-firmware-update-available-83b88ab5-21ca-5dd2-df91-6db4354f9360-7a3c48d6.md,content/unifi-site-manager-ccf-unifi-site-manager-firmware-update-available-83b88ab5-21ca-5dd2-df91-6db4354f9360-7a3c48d6.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-firmware-update-available-83b88ab5-21ca-5dd2-df91-6db4354f9360-7a3c48d6.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-firmware-update-available-83b88ab5-21ca-5dd2-df91-6db4354f9360-7a3c48d6.html +content,unifi-site-manager-ccf-unifi-site-manager-firmware-version-diversity-within-a-model-2b0ca272-72fd-c2c2-6728-7f287c22e275-fb38da72,content/unifi-site-manager-ccf-unifi-site-manager-firmware-version-diversity-within-a-model-2b0ca272-72fd-c2c2-6728-7f287c22e275-fb38da72.md,content/unifi-site-manager-ccf-unifi-site-manager-firmware-version-diversity-within-a-model-2b0ca272-72fd-c2c2-6728-7f287c22e275-fb38da72.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-firmware-version-diversity-within-a-model-2b0ca272-72fd-c2c2-6728-7f287c22e275-fb38da72.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-firmware-version-diversity-within-a-model-2b0ca272-72fd-c2c2-6728-7f287c22e275-fb38da72.html +content,unifi-site-manager-ccf-unifi-site-manager-ips-ids-disabled-or-misconfigured-36a64027-729e-51d7-16bf-8e926c03712a-79e9233f,content/unifi-site-manager-ccf-unifi-site-manager-ips-ids-disabled-or-misconfigured-36a64027-729e-51d7-16bf-8e926c03712a-79e9233f.md,content/unifi-site-manager-ccf-unifi-site-manager-ips-ids-disabled-or-misconfigured-36a64027-729e-51d7-16bf-8e926c03712a-79e9233f.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-ips-ids-disabled-or-misconfigured-36a64027-729e-51d7-16bf-8e926c03712a-79e9233f.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-ips-ids-disabled-or-misconfigured-36a64027-729e-51d7-16bf-8e926c03712a-79e9233f.html +content,unifi-site-manager-ccf-unifi-site-manager-ips-signature-count-dropped-50-aa188a24-783a-76a1-cd11-3bcac0e97de9-b2cafcd5,content/unifi-site-manager-ccf-unifi-site-manager-ips-signature-count-dropped-50-aa188a24-783a-76a1-cd11-3bcac0e97de9-b2cafcd5.md,content/unifi-site-manager-ccf-unifi-site-manager-ips-signature-count-dropped-50-aa188a24-783a-76a1-cd11-3bcac0e97de9-b2cafcd5.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-ips-signature-count-dropped-50-aa188a24-783a-76a1-cd11-3bcac0e97de9-b2cafcd5.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-ips-signature-count-dropped-50-aa188a24-783a-76a1-cd11-3bcac0e97de9-b2cafcd5.html +content,unifi-site-manager-ccf-unifi-site-manager-isp-downtime-b54123ef-cfa7-769e-a959-f437404a1192-56e7d806,content/unifi-site-manager-ccf-unifi-site-manager-isp-downtime-b54123ef-cfa7-769e-a959-f437404a1192-56e7d806.md,content/unifi-site-manager-ccf-unifi-site-manager-isp-downtime-b54123ef-cfa7-769e-a959-f437404a1192-56e7d806.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-downtime-b54123ef-cfa7-769e-a959-f437404a1192-56e7d806.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-downtime-b54123ef-cfa7-769e-a959-f437404a1192-56e7d806.html +content,unifi-site-manager-ccf-unifi-site-manager-isp-high-latency-77d8f6d0-b45c-ea6e-7c58-daac194a095f-abf07f90,content/unifi-site-manager-ccf-unifi-site-manager-isp-high-latency-77d8f6d0-b45c-ea6e-7c58-daac194a095f-abf07f90.md,content/unifi-site-manager-ccf-unifi-site-manager-isp-high-latency-77d8f6d0-b45c-ea6e-7c58-daac194a095f-abf07f90.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-high-latency-77d8f6d0-b45c-ea6e-7c58-daac194a095f-abf07f90.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-high-latency-77d8f6d0-b45c-ea6e-7c58-daac194a095f-abf07f90.html +content,unifi-site-manager-ccf-unifi-site-manager-isp-packet-loss-6f2d71d6-e6c4-0da4-91da-e8192dc5b12c-01172d66,content/unifi-site-manager-ccf-unifi-site-manager-isp-packet-loss-6f2d71d6-e6c4-0da4-91da-e8192dc5b12c-01172d66.md,content/unifi-site-manager-ccf-unifi-site-manager-isp-packet-loss-6f2d71d6-e6c4-0da4-91da-e8192dc5b12c-01172d66.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-packet-loss-6f2d71d6-e6c4-0da4-91da-e8192dc5b12c-01172d66.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-packet-loss-6f2d71d6-e6c4-0da4-91da-e8192dc5b12c-01172d66.html +content,unifi-site-manager-ccf-unifi-site-manager-isp-sla-breach-fecd4ab1-b24e-8413-9164-e3621c8d7caa-c71a536e,content/unifi-site-manager-ccf-unifi-site-manager-isp-sla-breach-fecd4ab1-b24e-8413-9164-e3621c8d7caa-c71a536e.md,content/unifi-site-manager-ccf-unifi-site-manager-isp-sla-breach-fecd4ab1-b24e-8413-9164-e3621c8d7caa-c71a536e.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-sla-breach-fecd4ab1-b24e-8413-9164-e3621c8d7caa-c71a536e.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-isp-sla-breach-fecd4ab1-b24e-8413-9164-e3621c8d7caa-c71a536e.html +content,unifi-site-manager-ccf-unifi-site-manager-long-tail-isp-latency-hotspots-p95-3f49ba8c-8995-9d38-579d-24afa09f5a2a-7d6d26cc,content/unifi-site-manager-ccf-unifi-site-manager-long-tail-isp-latency-hotspots-p95-3f49ba8c-8995-9d38-579d-24afa09f5a2a-7d6d26cc.md,content/unifi-site-manager-ccf-unifi-site-manager-long-tail-isp-latency-hotspots-p95-3f49ba8c-8995-9d38-579d-24afa09f5a2a-7d6d26cc.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-long-tail-isp-latency-hotspots-p95-3f49ba8c-8995-9d38-579d-24afa09f5a2a-7d6d26cc.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-long-tail-isp-latency-hotspots-p95-3f49ba8c-8995-9d38-579d-24afa09f5a2a-7d6d26cc.html +content,unifi-site-manager-ccf-unifi-site-manager-multiple-devices-offline-9283b576-5350-fca1-3979-dacb6acd1d16-e4324d9f,content/unifi-site-manager-ccf-unifi-site-manager-multiple-devices-offline-9283b576-5350-fca1-3979-dacb6acd1d16-e4324d9f.md,content/unifi-site-manager-ccf-unifi-site-manager-multiple-devices-offline-9283b576-5350-fca1-3979-dacb6acd1d16-e4324d9f.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-multiple-devices-offline-9283b576-5350-fca1-3979-dacb6acd1d16-e4324d9f.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-multiple-devices-offline-9283b576-5350-fca1-3979-dacb6acd1d16-e4324d9f.html +content,unifi-site-manager-ccf-unifi-site-manager-new-critical-notifications-appeared-e4b75722-7239-f247-558f-d2e851ea0b38-c5146a32,content/unifi-site-manager-ccf-unifi-site-manager-new-critical-notifications-appeared-e4b75722-7239-f247-558f-d2e851ea0b38-c5146a32.md,content/unifi-site-manager-ccf-unifi-site-manager-new-critical-notifications-appeared-e4b75722-7239-f247-558f-d2e851ea0b38-c5146a32.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-critical-notifications-appeared-e4b75722-7239-f247-558f-d2e851ea0b38-c5146a32.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-critical-notifications-appeared-e4b75722-7239-f247-558f-d2e851ea0b38-c5146a32.html +content,unifi-site-manager-ccf-unifi-site-manager-new-device-adopted-e69be544-9476-35bb-2533-fa8c650dcd46-d519edad,content/unifi-site-manager-ccf-unifi-site-manager-new-device-adopted-e69be544-9476-35bb-2533-fa8c650dcd46-d519edad.md,content/unifi-site-manager-ccf-unifi-site-manager-new-device-adopted-e69be544-9476-35bb-2533-fa8c650dcd46-d519edad.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-device-adopted-e69be544-9476-35bb-2533-fa8c650dcd46-d519edad.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-device-adopted-e69be544-9476-35bb-2533-fa8c650dcd46-d519edad.html +content,unifi-site-manager-ccf-unifi-site-manager-new-wan-issue-index-recorded-17d09e1b-8a3f-776b-6981-dbe2cc74d097-079ccb3a,content/unifi-site-manager-ccf-unifi-site-manager-new-wan-issue-index-recorded-17d09e1b-8a3f-776b-6981-dbe2cc74d097-079ccb3a.md,content/unifi-site-manager-ccf-unifi-site-manager-new-wan-issue-index-recorded-17d09e1b-8a3f-776b-6981-dbe2cc74d097-079ccb3a.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-wan-issue-index-recorded-17d09e1b-8a3f-776b-6981-dbe2cc74d097-079ccb3a.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-wan-issue-index-recorded-17d09e1b-8a3f-776b-6981-dbe2cc74d097-079ccb3a.html +content,unifi-site-manager-ccf-unifi-site-manager-new-wan2-secondary-issue-recorded-b16f13ae-343b-9513-e684-469cdf9471b2-fa617154,content/unifi-site-manager-ccf-unifi-site-manager-new-wan2-secondary-issue-recorded-b16f13ae-343b-9513-e684-469cdf9471b2-fa617154.md,content/unifi-site-manager-ccf-unifi-site-manager-new-wan2-secondary-issue-recorded-b16f13ae-343b-9513-e684-469cdf9471b2-fa617154.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-wan2-secondary-issue-recorded-b16f13ae-343b-9513-e684-469cdf9471b2-fa617154.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-new-wan2-secondary-issue-recorded-b16f13ae-343b-9513-e684-469cdf9471b2-fa617154.html +content,unifi-site-manager-ccf-unifi-site-manager-pending-firmware-updates-outstanding-for-7d+-d943d401-861e-7186-d42c-c505fbf7c619-b37c1db1,content/unifi-site-manager-ccf-unifi-site-manager-pending-firmware-updates-outstanding-for-7d+-d943d401-861e-7186-d42c-c505fbf7c619-b37c1db1.md,content/unifi-site-manager-ccf-unifi-site-manager-pending-firmware-updates-outstanding-for-7d+-d943d401-861e-7186-d42c-c505fbf7c619-b37c1db1.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-pending-firmware-updates-outstanding-for-7d+-d943d401-861e-7186-d42c-c505fbf7c619-b37c1db1.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-pending-firmware-updates-outstanding-for-7d+-d943d401-861e-7186-d42c-c505fbf7c619-b37c1db1.html +content,unifi-site-manager-ccf-unifi-site-manager-site-health-critical-c8875ebb-cc6e-14e4-4216-d8b06fd92c90-96e99041,content/unifi-site-manager-ccf-unifi-site-manager-site-health-critical-c8875ebb-cc6e-14e4-4216-d8b06fd92c90-96e99041.md,content/unifi-site-manager-ccf-unifi-site-manager-site-health-critical-c8875ebb-cc6e-14e4-4216-d8b06fd92c90-96e99041.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-site-health-critical-c8875ebb-cc6e-14e4-4216-d8b06fd92c90-96e99041.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-site-health-critical-c8875ebb-cc6e-14e4-4216-d8b06fd92c90-96e99041.html +content,unifi-site-manager-ccf-unifi-site-manager-sites-with-persistent-wan-issues-2dbe3bb8-1522-e491-2eac-72bb0923c5eb-a78b6f92,content/unifi-site-manager-ccf-unifi-site-manager-sites-with-persistent-wan-issues-2dbe3bb8-1522-e491-2eac-72bb0923c5eb-a78b6f92.md,content/unifi-site-manager-ccf-unifi-site-manager-sites-with-persistent-wan-issues-2dbe3bb8-1522-e491-2eac-72bb0923c5eb-a78b6f92.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-sites-with-persistent-wan-issues-2dbe3bb8-1522-e491-2eac-72bb0923c5eb-a78b6f92.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-sites-with-persistent-wan-issues-2dbe3bb8-1522-e491-2eac-72bb0923c5eb-a78b6f92.html +content,unifi-site-manager-ccf-unifi-site-manager-system-log-shipping-disabled-f32950bc-6553-4c03-2686-a9c29ef318e8-3d860f6a,content/unifi-site-manager-ccf-unifi-site-manager-system-log-shipping-disabled-f32950bc-6553-4c03-2686-a9c29ef318e8-3d860f6a.md,content/unifi-site-manager-ccf-unifi-site-manager-system-log-shipping-disabled-f32950bc-6553-4c03-2686-a9c29ef318e8-3d860f6a.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-system-log-shipping-disabled-f32950bc-6553-4c03-2686-a9c29ef318e8-3d860f6a.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-system-log-shipping-disabled-f32950bc-6553-4c03-2686-a9c29ef318e8-3d860f6a.html +content,unifi-site-manager-ccf-unifi-site-manager-wan-external-ip-geographic-deviation-9c0a7304-287e-f1b2-8b4f-c7444b8511ea-7ff20a11,content/unifi-site-manager-ccf-unifi-site-manager-wan-external-ip-geographic-deviation-9c0a7304-287e-f1b2-8b4f-c7444b8511ea-7ff20a11.md,content/unifi-site-manager-ccf-unifi-site-manager-wan-external-ip-geographic-deviation-9c0a7304-287e-f1b2-8b4f-c7444b8511ea-7ff20a11.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-wan-external-ip-geographic-deviation-9c0a7304-287e-f1b2-8b4f-c7444b8511ea-7ff20a11.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-wan-external-ip-geographic-deviation-9c0a7304-287e-f1b2-8b4f-c7444b8511ea-7ff20a11.html +content,unifi-site-manager-ccf-unifi-site-manager-wan-uptime-below-99-2bb29f25-833a-5544-4a8e-9bf6c4d8da56-c45d8533,content/unifi-site-manager-ccf-unifi-site-manager-wan-uptime-below-99-2bb29f25-833a-5544-4a8e-9bf6c4d8da56-c45d8533.md,content/unifi-site-manager-ccf-unifi-site-manager-wan-uptime-below-99-2bb29f25-833a-5544-4a8e-9bf6c4d8da56-c45d8533.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-wan-uptime-below-99-2bb29f25-833a-5544-4a8e-9bf6c4d8da56-c45d8533.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-wan-uptime-below-99-2bb29f25-833a-5544-4a8e-9bf6c4d8da56-c45d8533.html +content,unifi-site-manager-ccf-unifi-site-manager-wifi-quality-degraded-high-tx-retry-f5130582-9e0e-cb47-af0b-dcd8b261fa04-e554dfe0,content/unifi-site-manager-ccf-unifi-site-manager-wifi-quality-degraded-high-tx-retry-f5130582-9e0e-cb47-af0b-dcd8b261fa04-e554dfe0.md,content/unifi-site-manager-ccf-unifi-site-manager-wifi-quality-degraded-high-tx-retry-f5130582-9e0e-cb47-af0b-dcd8b261fa04-e554dfe0.html,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-wifi-quality-degraded-high-tx-retry-f5130582-9e0e-cb47-af0b-dcd8b261fa04-e554dfe0.md,Solutions Docs/content/unifi-site-manager-ccf-unifi-site-manager-wifi-quality-degraded-high-tx-retry-f5130582-9e0e-cb47-af0b-dcd8b261fa04-e554dfe0.html +content,unifi-site-manager-ccf-unifisitemanager-eafe5588,content/unifi-site-manager-ccf-unifisitemanager-eafe5588.md,content/unifi-site-manager-ccf-unifisitemanager-eafe5588.html,Solutions Docs/content/unifi-site-manager-ccf-unifisitemanager-eafe5588.md,Solutions Docs/content/unifi-site-manager-ccf-unifisitemanager-eafe5588.html content,urlhaus-urlhaus-checkhashandenrichincident-a6191f77,content/urlhaus-urlhaus-checkhashandenrichincident-a6191f77.md,content/urlhaus-urlhaus-checkhashandenrichincident-a6191f77.html,Solutions Docs/content/urlhaus-urlhaus-checkhashandenrichincident-a6191f77.md,Solutions Docs/content/urlhaus-urlhaus-checkhashandenrichincident-a6191f77.html content,urlhaus-urlhaus-checkhostandenrichincident-20c27ae9,content/urlhaus-urlhaus-checkhostandenrichincident-20c27ae9.md,content/urlhaus-urlhaus-checkhostandenrichincident-20c27ae9.html,Solutions Docs/content/urlhaus-urlhaus-checkhostandenrichincident-20c27ae9.md,Solutions Docs/content/urlhaus-urlhaus-checkhostandenrichincident-20c27ae9.html content,urlhaus-urlhaus-checkurlandenrichincident-be303913,content/urlhaus-urlhaus-checkurlandenrichincident-be303913.md,content/urlhaus-urlhaus-checkurlandenrichincident-be303913.html,Solutions Docs/content/urlhaus-urlhaus-checkurlandenrichincident-be303913.md,Solutions Docs/content/urlhaus-urlhaus-checkurlandenrichincident-be303913.html +content,utimaco-enterprise-secure-key-manager-eskmworkbook-845900db,content/utimaco-enterprise-secure-key-manager-eskmworkbook-845900db.md,content/utimaco-enterprise-secure-key-manager-eskmworkbook-845900db.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-eskmworkbook-845900db.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-eskmworkbook-845900db.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-after-hours-kmip-activity-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b04-a52dd019,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-after-hours-kmip-activity-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b04-a52dd019.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-after-hours-kmip-activity-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b04-a52dd019.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-after-hours-kmip-activity-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b04-a52dd019.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-after-hours-kmip-activity-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b04-a52dd019.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-burst-of-kmip-destroy-operations-by-a-single-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a03-5fa2afcb,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-burst-of-kmip-destroy-operations-by-a-single-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a03-5fa2afcb.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-burst-of-kmip-destroy-operations-by-a-single-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a03-5fa2afcb.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-burst-of-kmip-destroy-operations-by-a-single-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a03-5fa2afcb.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-burst-of-kmip-destroy-operations-by-a-single-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a03-5fa2afcb.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-high-volume-private-key-retrievals-by-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b03-edf3b4f9,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-high-volume-private-key-retrievals-by-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b03-edf3b4f9.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-high-volume-private-key-retrievals-by-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b03-edf3b4f9.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-high-volume-private-key-retrievals-by-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b03-edf3b4f9.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-high-volume-private-key-retrievals-by-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b03-edf3b4f9.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-multiple-kmip-authentication-failures-from-same-ip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01-e75b8c05,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-multiple-kmip-authentication-failures-from-same-ip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01-e75b8c05.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-multiple-kmip-authentication-failures-from-same-ip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01-e75b8c05.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-multiple-kmip-authentication-failures-from-same-ip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01-e75b8c05.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-multiple-kmip-authentication-failures-from-same-ip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01-e75b8c05.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-new-source-ips-connecting-to-kmip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b02-fce38bca,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-new-source-ips-connecting-to-kmip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b02-fce38bca.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-new-source-ips-connecting-to-kmip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b02-fce38bca.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-new-source-ips-connecting-to-kmip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b02-fce38bca.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-new-source-ips-connecting-to-kmip-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b02-fce38bca.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-permission-denied-burst-for-a-kmip-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a02-43bc2ce7,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-permission-denied-burst-for-a-kmip-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a02-43bc2ce7.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-permission-denied-burst-for-a-kmip-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a02-43bc2ce7.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-permission-denied-burst-for-a-kmip-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a02-43bc2ce7.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-permission-denied-burst-for-a-kmip-user-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a02-43bc2ce7.html +content,utimaco-enterprise-secure-key-manager-utimaco-eskm-rare-kmip-users-in-the-last-24-hours-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b01-e7cc8841,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-rare-kmip-users-in-the-last-24-hours-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b01-e7cc8841.md,content/utimaco-enterprise-secure-key-manager-utimaco-eskm-rare-kmip-users-in-the-last-24-hours-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b01-e7cc8841.html,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-rare-kmip-users-in-the-last-24-hours-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b01-e7cc8841.md,Solutions Docs/content/utimaco-enterprise-secure-key-manager-utimaco-eskm-rare-kmip-users-in-the-last-24-hours-9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0b01-e7cc8841.html content,vaikora-crowdstrike-threatintelligence-vaikora-ai-agent-signals-to-crowdstrike-1c0c6d82,content/vaikora-crowdstrike-threatintelligence-vaikora-ai-agent-signals-to-crowdstrike-1c0c6d82.md,content/vaikora-crowdstrike-threatintelligence-vaikora-ai-agent-signals-to-crowdstrike-1c0c6d82.html,Solutions Docs/content/vaikora-crowdstrike-threatintelligence-vaikora-ai-agent-signals-to-crowdstrike-1c0c6d82.md,Solutions Docs/content/vaikora-crowdstrike-threatintelligence-vaikora-ai-agent-signals-to-crowdstrike-1c0c6d82.html content,vaikora-sentinel-vaikora-agent-policy-violation-54262ad1-f346-4246-a13f-9557595ff7bd-946b4697,content/vaikora-sentinel-vaikora-agent-policy-violation-54262ad1-f346-4246-a13f-9557595ff7bd-946b4697.md,content/vaikora-sentinel-vaikora-agent-policy-violation-54262ad1-f346-4246-a13f-9557595ff7bd-946b4697.html,Solutions Docs/content/vaikora-sentinel-vaikora-agent-policy-violation-54262ad1-f346-4246-a13f-9557595ff7bd-946b4697.md,Solutions Docs/content/vaikora-sentinel-vaikora-agent-policy-violation-54262ad1-f346-4246-a13f-9557595ff7bd-946b4697.html content,vaikora-sentinel-vaikora-behavioral-anomaly-detected-e61258ec-1a7f-454c-95b5-458a6edb1ea4-7a520c0a,content/vaikora-sentinel-vaikora-behavioral-anomaly-detected-e61258ec-1a7f-454c-95b5-458a6edb1ea4-7a520c0a.md,content/vaikora-sentinel-vaikora-behavioral-anomaly-detected-e61258ec-1a7f-454c-95b5-458a6edb1ea4-7a520c0a.html,Solutions Docs/content/vaikora-sentinel-vaikora-behavioral-anomaly-detected-e61258ec-1a7f-454c-95b5-458a6edb1ea4-7a520c0a.md,Solutions Docs/content/vaikora-sentinel-vaikora-behavioral-anomaly-detected-e61258ec-1a7f-454c-95b5-458a6edb1ea4-7a520c0a.html @@ -7954,6 +8027,7 @@ parser,exchangeadminauditlogs,parsers/exchangeadminauditlogs.md,parsers/exchange parser,exchangeconfiguration,parsers/exchangeconfiguration.md,parsers/exchangeconfiguration.html,Solutions Docs/parsers/exchangeconfiguration.md,Solutions Docs/parsers/exchangeconfiguration.html parser,exchangeenvironmentlist,parsers/exchangeenvironmentlist.md,parsers/exchangeenvironmentlist.html,Solutions Docs/parsers/exchangeenvironmentlist.md,Solutions Docs/parsers/exchangeenvironmentlist.html parser,extrahopdetections,parsers/extrahopdetections.md,parsers/extrahopdetections.html,Solutions Docs/parsers/extrahopdetections.md,Solutions Docs/parsers/extrahopdetections.html +parser,fieldeffect,parsers/fieldeffect.md,parsers/fieldeffect.html,Solutions Docs/parsers/fieldeffect.md,Solutions Docs/parsers/fieldeffect.html parser,filewallm365exchangeevent,parsers/filewallm365exchangeevent.md,parsers/filewallm365exchangeevent.html,Solutions Docs/parsers/filewallm365exchangeevent.md,Solutions Docs/parsers/filewallm365exchangeevent.html parser,filewallm365fileevent,parsers/filewallm365fileevent.md,parsers/filewallm365fileevent.html,Solutions Docs/parsers/filewallm365fileevent.md,Solutions Docs/parsers/filewallm365fileevent.html parser,fireeyenxevent,parsers/fireeyenxevent.md,parsers/fireeyenxevent.html,Solutions Docs/parsers/fireeyenxevent.md,Solutions Docs/parsers/fireeyenxevent.html @@ -7977,6 +8051,7 @@ parser,githubsecretscanningdata,parsers/githubsecretscanningdata.md,parsers/gith parser,gitlabaccess,parsers/gitlabaccess.md,parsers/gitlabaccess.html,Solutions Docs/parsers/gitlabaccess.md,Solutions Docs/parsers/gitlabaccess.html parser,gitlabapp,parsers/gitlabapp.md,parsers/gitlabapp.html,Solutions Docs/parsers/gitlabapp.md,Solutions Docs/parsers/gitlabapp.html parser,gitlabaudit,parsers/gitlabaudit.md,parsers/gitlabaudit.html,Solutions Docs/parsers/gitlabaudit.md,Solutions Docs/parsers/gitlabaudit.html +parser,googlesecopsdetectionalerts,parsers/googlesecopsdetectionalerts.md,parsers/googlesecopsdetectionalerts.html,Solutions Docs/parsers/googlesecopsdetectionalerts.md,Solutions Docs/parsers/googlesecopsdetectionalerts.html parser,guardian,parsers/guardian.md,parsers/guardian.html,Solutions Docs/parsers/guardian.md,Solutions Docs/parsers/guardian.html parser,gworkspaceactivityreports,parsers/gworkspaceactivityreports.md,parsers/gworkspaceactivityreports.html,Solutions Docs/parsers/gworkspaceactivityreports.md,Solutions Docs/parsers/gworkspaceactivityreports.html parser,hackerviewlog,parsers/hackerviewlog.md,parsers/hackerviewlog.html,Solutions Docs/parsers/hackerviewlog.md,Solutions Docs/parsers/hackerviewlog.html @@ -8202,6 +8277,7 @@ solution,agilesec-analytics-connector,solutions/agilesec-analytics-connector.md, solution,ai-analyst-darktrace,solutions/ai-analyst-darktrace.md,solutions/ai-analyst-darktrace.html,Solutions Docs/solutions/ai-analyst-darktrace.md,Solutions Docs/solutions/ai-analyst-darktrace.html solution,airlockdigital,solutions/airlockdigital.md,solutions/airlockdigital.html,Solutions Docs/solutions/airlockdigital.md,Solutions Docs/solutions/airlockdigital.html solution,aishield-ai-security-monitoring,solutions/aishield-ai-security-monitoring.md,solutions/aishield-ai-security-monitoring.html,Solutions Docs/solutions/aishield-ai-security-monitoring.md,Solutions Docs/solutions/aishield-ai-security-monitoring.html +solution,akamai-guardicore,solutions/akamai-guardicore.md,solutions/akamai-guardicore.html,Solutions Docs/solutions/akamai-guardicore.md,Solutions Docs/solutions/akamai-guardicore.html solution,akamai-security-events,solutions/akamai-security-events.md,solutions/akamai-security-events.html,Solutions Docs/solutions/akamai-security-events.md,Solutions Docs/solutions/akamai-security-events.html solution,alc-webctrl,solutions/alc-webctrl.md,solutions/alc-webctrl.html,Solutions Docs/solutions/alc-webctrl.md,Solutions Docs/solutions/alc-webctrl.html solution,alibaba-cloud-actiontrail,solutions/alibaba-cloud-actiontrail.md,solutions/alibaba-cloud-actiontrail.html,Solutions Docs/solutions/alibaba-cloud-actiontrail.md,Solutions Docs/solutions/alibaba-cloud-actiontrail.html @@ -8382,6 +8458,7 @@ solution,f5-networks,solutions/f5-networks.md,solutions/f5-networks.html,Solutio solution,falconfriday,solutions/falconfriday.md,solutions/falconfriday.html,Solutions Docs/solutions/falconfriday.md,Solutions Docs/solutions/falconfriday.html solution,farsight-dnsdb,solutions/farsight-dnsdb.md,solutions/farsight-dnsdb.html,Solutions Docs/solutions/farsight-dnsdb.md,Solutions Docs/solutions/farsight-dnsdb.html solution,feedly,solutions/feedly.md,solutions/feedly.html,Solutions Docs/solutions/feedly.md,Solutions Docs/solutions/feedly.html +solution,fieldeffectmdr,solutions/fieldeffectmdr.md,solutions/fieldeffectmdr.html,Solutions Docs/solutions/fieldeffectmdr.md,Solutions Docs/solutions/fieldeffectmdr.html solution,filewall-for-microsoft-365,solutions/filewall-for-microsoft-365.md,solutions/filewall-for-microsoft-365.html,Solutions Docs/solutions/filewall-for-microsoft-365.md,Solutions Docs/solutions/filewall-for-microsoft-365.html solution,fireeye-network-security,solutions/fireeye-network-security.md,solutions/fireeye-network-security.html,Solutions Docs/solutions/fireeye-network-security.md,Solutions Docs/solutions/fireeye-network-security.html solution,flare,solutions/flare.md,solutions/flare.html,Solutions Docs/solutions/flare.md,Solutions Docs/solutions/flare.html @@ -8422,6 +8499,7 @@ solution,googlecloudplatformnat,solutions/googlecloudplatformnat.md,solutions/go solution,googlecloudplatformresourcemanager,solutions/googlecloudplatformresourcemanager.md,solutions/googlecloudplatformresourcemanager.html,Solutions Docs/solutions/googlecloudplatformresourcemanager.md,Solutions Docs/solutions/googlecloudplatformresourcemanager.html solution,googlecloudplatformsql,solutions/googlecloudplatformsql.md,solutions/googlecloudplatformsql.html,Solutions Docs/solutions/googlecloudplatformsql.md,Solutions Docs/solutions/googlecloudplatformsql.html solution,googledirectory,solutions/googledirectory.md,solutions/googledirectory.html,Solutions Docs/solutions/googledirectory.md,Solutions Docs/solutions/googledirectory.html +solution,googlesecops,solutions/googlesecops.md,solutions/googlesecops.html,Solutions Docs/solutions/googlesecops.md,Solutions Docs/solutions/googlesecops.html solution,googleworkspacereports,solutions/googleworkspacereports.md,solutions/googleworkspacereports.html,Solutions Docs/solutions/googleworkspacereports.md,Solutions Docs/solutions/googleworkspacereports.html solution,gravityzone,solutions/gravityzone.md,solutions/gravityzone.html,Solutions Docs/solutions/gravityzone.md,Solutions Docs/solutions/gravityzone.html solution,greynoisethreatintelligence,solutions/greynoisethreatintelligence.md,solutions/greynoisethreatintelligence.html,Solutions Docs/solutions/greynoisethreatintelligence.md,Solutions Docs/solutions/greynoisethreatintelligence.html @@ -8479,6 +8557,7 @@ solution,mcafee-epolicy-orchestrator,solutions/mcafee-epolicy-orchestrator.md,so solution,mcafee-network-security-platform,solutions/mcafee-network-security-platform.md,solutions/mcafee-network-security-platform.html,Solutions Docs/solutions/mcafee-network-security-platform.md,Solutions Docs/solutions/mcafee-network-security-platform.html solution,meshstack,solutions/meshstack.md,solutions/meshstack.html,Solutions Docs/solutions/meshstack.md,Solutions Docs/solutions/meshstack.html solution,microsoft-365-assets,solutions/microsoft-365-assets.md,solutions/microsoft-365-assets.html,Solutions Docs/solutions/microsoft-365-assets.md,Solutions Docs/solutions/microsoft-365-assets.html +solution,microsoft-365-audit-general-and-dlp,solutions/microsoft-365-audit-general-and-dlp.md,solutions/microsoft-365-audit-general-and-dlp.html,Solutions Docs/solutions/microsoft-365-audit-general-and-dlp.md,Solutions Docs/solutions/microsoft-365-audit-general-and-dlp.html solution,microsoft-365,solutions/microsoft-365.md,solutions/microsoft-365.html,Solutions Docs/solutions/microsoft-365.md,Solutions Docs/solutions/microsoft-365.html solution,microsoft-business-applications,solutions/microsoft-business-applications.md,solutions/microsoft-business-applications.html,Solutions Docs/solutions/microsoft-business-applications.md,Solutions Docs/solutions/microsoft-business-applications.html solution,microsoft-copilot,solutions/microsoft-copilot.md,solutions/microsoft-copilot.html,Solutions Docs/solutions/microsoft-copilot.md,Solutions Docs/solutions/microsoft-copilot.html @@ -8633,6 +8712,7 @@ solution,spur,solutions/spur.md,solutions/spur.html,Solutions Docs/solutions/spu solution,spycloud-enterprise-protection,solutions/spycloud-enterprise-protection.md,solutions/spycloud-enterprise-protection.html,Solutions Docs/solutions/spycloud-enterprise-protection.md,Solutions Docs/solutions/spycloud-enterprise-protection.html solution,squadra-technologies-secrmm,solutions/squadra-technologies-secrmm.md,solutions/squadra-technologies-secrmm.html,Solutions Docs/solutions/squadra-technologies-secrmm.md,Solutions Docs/solutions/squadra-technologies-secrmm.html solution,squidproxy,solutions/squidproxy.md,solutions/squidproxy.html,Solutions Docs/solutions/squidproxy.md,Solutions Docs/solutions/squidproxy.html +solution,stealthtalk,solutions/stealthtalk.md,solutions/stealthtalk.html,Solutions Docs/solutions/stealthtalk.md,Solutions Docs/solutions/stealthtalk.html solution,strider-shield,solutions/strider-shield.md,solutions/strider-shield.html,Solutions Docs/solutions/strider-shield.md,Solutions Docs/solutions/strider-shield.html solution,styx-intelligence,solutions/styx-intelligence.md,solutions/styx-intelligence.html,Solutions Docs/solutions/styx-intelligence.md,Solutions Docs/solutions/styx-intelligence.html solution,symantec-endpoint-protection,solutions/symantec-endpoint-protection.md,solutions/symantec-endpoint-protection.html,Solutions Docs/solutions/symantec-endpoint-protection.md,Solutions Docs/solutions/symantec-endpoint-protection.html @@ -8674,8 +8754,10 @@ solution,trend-micro-vision-one,solutions/trend-micro-vision-one.md,solutions/tr solution,tropico,solutions/tropico.md,solutions/tropico.html,Solutions Docs/solutions/tropico.md,Solutions Docs/solutions/tropico.html solution,ubiquiti-unifi,solutions/ubiquiti-unifi.md,solutions/ubiquiti-unifi.html,Solutions Docs/solutions/ubiquiti-unifi.md,Solutions Docs/solutions/ubiquiti-unifi.html solution,ueba-essentials,solutions/ueba-essentials.md,solutions/ueba-essentials.html,Solutions Docs/solutions/ueba-essentials.md,Solutions Docs/solutions/ueba-essentials.html +solution,unifi-site-manager-ccf,solutions/unifi-site-manager-ccf.md,solutions/unifi-site-manager-ccf.html,Solutions Docs/solutions/unifi-site-manager-ccf.md,Solutions Docs/solutions/unifi-site-manager-ccf.html solution,upwind,solutions/upwind.md,solutions/upwind.html,Solutions Docs/solutions/upwind.md,Solutions Docs/solutions/upwind.html solution,urlhaus,solutions/urlhaus.md,solutions/urlhaus.html,Solutions Docs/solutions/urlhaus.md,Solutions Docs/solutions/urlhaus.html +solution,utimaco-enterprise-secure-key-manager,solutions/utimaco-enterprise-secure-key-manager.md,solutions/utimaco-enterprise-secure-key-manager.html,Solutions Docs/solutions/utimaco-enterprise-secure-key-manager.md,Solutions Docs/solutions/utimaco-enterprise-secure-key-manager.html solution,vaikora-crowdstrike-threatintelligence,solutions/vaikora-crowdstrike-threatintelligence.md,solutions/vaikora-crowdstrike-threatintelligence.html,Solutions Docs/solutions/vaikora-crowdstrike-threatintelligence.md,Solutions Docs/solutions/vaikora-crowdstrike-threatintelligence.html solution,vaikora-sentinel,solutions/vaikora-sentinel.md,solutions/vaikora-sentinel.html,Solutions Docs/solutions/vaikora-sentinel.md,Solutions Docs/solutions/vaikora-sentinel.html solution,vaikora-sentinelone-threatintelligence,solutions/vaikora-sentinelone-threatintelligence.md,solutions/vaikora-sentinelone-threatintelligence.html,Solutions Docs/solutions/vaikora-sentinelone-threatintelligence.md,Solutions Docs/solutions/vaikora-sentinelone-threatintelligence.html @@ -9285,6 +9367,7 @@ table,cisco-umbrella-ztna-cl,tables/cisco-umbrella-ztna-cl.md,tables/cisco-umbre table,cisco-umbrella,tables/cisco-umbrella.md,tables/cisco-umbrella.html,Solutions Docs/tables/cisco-umbrella.md,Solutions Docs/tables/cisco-umbrella.html table,ciscoduo-cl,tables/ciscoduo-cl.md,tables/ciscoduo-cl.html,Solutions Docs/tables/ciscoduo-cl.md,Solutions Docs/tables/ciscoduo-cl.html table,ciscoetd-cl,tables/ciscoetd-cl.md,tables/ciscoetd-cl.html,Solutions Docs/tables/ciscoetd-cl.md,Solutions Docs/tables/ciscoetd-cl.html +table,ciscoetdv2-cl,tables/ciscoetdv2-cl.md,tables/ciscoetdv2-cl.html,Solutions Docs/tables/ciscoetdv2-cl.md,Solutions Docs/tables/ciscoetdv2-cl.html table,ciscomerakinativepoller-cl,tables/ciscomerakinativepoller-cl.md,tables/ciscomerakinativepoller-cl.html,Solutions Docs/tables/ciscomerakinativepoller-cl.md,Solutions Docs/tables/ciscomerakinativepoller-cl.html table,ciscosdwannetflow-cl,tables/ciscosdwannetflow-cl.md,tables/ciscosdwannetflow-cl.html,Solutions Docs/tables/ciscosdwannetflow-cl.md,Solutions Docs/tables/ciscosdwannetflow-cl.html table,ciscosecureendpoint-cl,tables/ciscosecureendpoint-cl.md,tables/ciscosecureendpoint-cl.html,Solutions Docs/tables/ciscosecureendpoint-cl.md,Solutions Docs/tables/ciscosecureendpoint-cl.html @@ -9643,6 +9726,7 @@ table,dcplanbillingeventlogs,tables/dcplanbillingeventlogs.md,tables/dcplanbilli table,dcrlogerrors,tables/dcrlogerrors.md,tables/dcrlogerrors.html,Solutions Docs/tables/dcrlogerrors.md,Solutions Docs/tables/dcrlogerrors.html table,defenderforsqlalerts,tables/defenderforsqlalerts.md,tables/defenderforsqlalerts.html,Solutions Docs/tables/defenderforsqlalerts.md,Solutions Docs/tables/defenderforsqlalerts.html table,defenderforsqltelemetry,tables/defenderforsqltelemetry.md,tables/defenderforsqltelemetry.html,Solutions Docs/tables/defenderforsqltelemetry.md,Solutions Docs/tables/defenderforsqltelemetry.html +table,detectionalerts-cl,tables/detectionalerts-cl.md,tables/detectionalerts-cl.html,Solutions Docs/tables/detectionalerts-cl.md,Solutions Docs/tables/detectionalerts-cl.html table,detections-data-cl,tables/detections-data-cl.md,tables/detections-data-cl.html,Solutions Docs/tables/detections-data-cl.md,Solutions Docs/tables/detections-data-cl.html table,devcenteragenthealthlogs,tables/devcenteragenthealthlogs.md,tables/devcenteragenthealthlogs.html,Solutions Docs/tables/devcenteragenthealthlogs.md,Solutions Docs/tables/devcenteragenthealthlogs.html table,devcenterbillingeventlogs,tables/devcenterbillingeventlogs.md,tables/devcenterbillingeventlogs.html,Solutions Docs/tables/devcenterbillingeventlogs.md,Solutions Docs/tables/devcenterbillingeventlogs.html @@ -9806,6 +9890,7 @@ table,failed-indicators-cl,tables/failed-indicators-cl.md,tables/failed-indicato table,failed-range-to-ingest-cl,tables/failed-range-to-ingest-cl.md,tables/failed-range-to-ingest-cl.html,Solutions Docs/tables/failed-range-to-ingest-cl.md,Solutions Docs/tables/failed-range-to-ingest-cl.html table,failedingestion,tables/failedingestion.md,tables/failedingestion.html,Solutions Docs/tables/failedingestion.md,Solutions Docs/tables/failedingestion.html table,feedly-indicators-cl,tables/feedly-indicators-cl.md,tables/feedly-indicators-cl.html,Solutions Docs/tables/feedly-indicators-cl.md,Solutions Docs/tables/feedly-indicators-cl.html +table,fieldeffectaroalerts-cl,tables/fieldeffectaroalerts-cl.md,tables/fieldeffectaroalerts-cl.html,Solutions Docs/tables/fieldeffectaroalerts-cl.md,Solutions Docs/tables/fieldeffectaroalerts-cl.html table,filemaliciouscontentinfo,tables/filemaliciouscontentinfo.md,tables/filemaliciouscontentinfo.html,Solutions Docs/tables/filemaliciouscontentinfo.md,Solutions Docs/tables/filemaliciouscontentinfo.html table,filewallexchange-cl,tables/filewallexchange-cl.md,tables/filewallexchange-cl.html,Solutions Docs/tables/filewallexchange-cl.md,Solutions Docs/tables/filewallexchange-cl.html table,filewallfile-cl,tables/filewallfile-cl.md,tables/filewallfile-cl.html,Solutions Docs/tables/filewallfile-cl.md,Solutions Docs/tables/filewallfile-cl.html @@ -9898,6 +9983,12 @@ table,greynoiseipcommunity-cl,tables/greynoiseipcommunity-cl.md,tables/greynoise table,greynoiseipcontext-cl,tables/greynoiseipcontext-cl.md,tables/greynoiseipcontext-cl.html,Solutions Docs/tables/greynoiseipcontext-cl.md,Solutions Docs/tables/greynoiseipcontext-cl.html table,greynoiseipriot-cl,tables/greynoiseipriot-cl.md,tables/greynoiseipriot-cl.html,Solutions Docs/tables/greynoiseipriot-cl.md,Solutions Docs/tables/greynoiseipriot-cl.html table,guardian-cl,tables/guardian-cl.md,tables/guardian-cl.html,Solutions Docs/tables/guardian-cl.md,Solutions Docs/tables/guardian-cl.html +table,guardicoreagents-cl,tables/guardicoreagents-cl.md,tables/guardicoreagents-cl.html,Solutions Docs/tables/guardicoreagents-cl.md,Solutions Docs/tables/guardicoreagents-cl.html +table,guardicoreapplications-cl,tables/guardicoreapplications-cl.md,tables/guardicoreapplications-cl.html,Solutions Docs/tables/guardicoreapplications-cl.md,Solutions Docs/tables/guardicoreapplications-cl.html +table,guardicoreassets-cl,tables/guardicoreassets-cl.md,tables/guardicoreassets-cl.html,Solutions Docs/tables/guardicoreassets-cl.md,Solutions Docs/tables/guardicoreassets-cl.html +table,guardicoreenrichingconnections-cl,tables/guardicoreenrichingconnections-cl.md,tables/guardicoreenrichingconnections-cl.html,Solutions Docs/tables/guardicoreenrichingconnections-cl.md,Solutions Docs/tables/guardicoreenrichingconnections-cl.html +table,guardicorepolicyrules-cl,tables/guardicorepolicyrules-cl.md,tables/guardicorepolicyrules-cl.html,Solutions Docs/tables/guardicorepolicyrules-cl.md,Solutions Docs/tables/guardicorepolicyrules-cl.html +table,guardicoreprocessedincidents-cl,tables/guardicoreprocessedincidents-cl.md,tables/guardicoreprocessedincidents-cl.html,Solutions Docs/tables/guardicoreprocessedincidents-cl.md,Solutions Docs/tables/guardicoreprocessedincidents-cl.html table,gworkspace-reportsapi-access-transparency-cl,tables/gworkspace-reportsapi-access-transparency-cl.md,tables/gworkspace-reportsapi-access-transparency-cl.html,Solutions Docs/tables/gworkspace-reportsapi-access-transparency-cl.md,Solutions Docs/tables/gworkspace-reportsapi-access-transparency-cl.html table,gworkspace-reportsapi-admin-cl,tables/gworkspace-reportsapi-admin-cl.md,tables/gworkspace-reportsapi-admin-cl.html,Solutions Docs/tables/gworkspace-reportsapi-admin-cl.md,Solutions Docs/tables/gworkspace-reportsapi-admin-cl.html table,gworkspace-reportsapi-calendar-cl,tables/gworkspace-reportsapi-calendar-cl.md,tables/gworkspace-reportsapi-calendar-cl.html,Solutions Docs/tables/gworkspace-reportsapi-calendar-cl.md,Solutions Docs/tables/gworkspace-reportsapi-calendar-cl.html @@ -10083,6 +10174,7 @@ table,logicappworkflowruntime,tables/logicappworkflowruntime.md,tables/logicappw table,lookout-cl,tables/lookout-cl.md,tables/lookout-cl.html,Solutions Docs/tables/lookout-cl.md,Solutions Docs/tables/lookout-cl.html table,lookoutcloudsecurity-cl,tables/lookoutcloudsecurity-cl.md,tables/lookoutcloudsecurity-cl.html,Solutions Docs/tables/lookoutcloudsecurity-cl.md,Solutions Docs/tables/lookoutcloudsecurity-cl.html table,lookoutmtdv2-cl,tables/lookoutmtdv2-cl.md,tables/lookoutmtdv2-cl.html,Solutions Docs/tables/lookoutmtdv2-cl.md,Solutions Docs/tables/lookoutmtdv2-cl.html +table,m365auditgeneral-cl,tables/m365auditgeneral-cl.md,tables/m365auditgeneral-cl.html,Solutions Docs/tables/m365auditgeneral-cl.md,Solutions Docs/tables/m365auditgeneral-cl.html table,m365securescore-cl,tables/m365securescore-cl.md,tables/m365securescore-cl.html,Solutions Docs/tables/m365securescore-cl.md,Solutions Docs/tables/m365securescore-cl.html table,m365securescorecontrols-cl,tables/m365securescorecontrols-cl.md,tables/m365securescorecontrols-cl.html,Solutions Docs/tables/m365securescorecontrols-cl.md,Solutions Docs/tables/m365securescorecontrols-cl.html table,maapplication,tables/maapplication.md,tables/maapplication.html,Solutions Docs/tables/maapplication.md,Solutions Docs/tables/maapplication.html @@ -10172,6 +10264,8 @@ table,mpcingestionlogs,tables/mpcingestionlogs.md,tables/mpcingestionlogs.html,S table,mptoperation,tables/mptoperation.md,tables/mptoperation.html,Solutions Docs/tables/mptoperation.md,Solutions Docs/tables/mptoperation.html table,mulesoft-cloudhub-cl,tables/mulesoft-cloudhub-cl.md,tables/mulesoft-cloudhub-cl.html,Solutions Docs/tables/mulesoft-cloudhub-cl.md,Solutions Docs/tables/mulesoft-cloudhub-cl.html table,mulesoftauditlogs-cl,tables/mulesoftauditlogs-cl.md,tables/mulesoftauditlogs-cl.html,Solutions Docs/tables/mulesoftauditlogs-cl.md,Solutions Docs/tables/mulesoftauditlogs-cl.html +table,mulesoftcloudhubalerts-cl,tables/mulesoftcloudhubalerts-cl.md,tables/mulesoftcloudhubalerts-cl.html,Solutions Docs/tables/mulesoftcloudhubalerts-cl.md,Solutions Docs/tables/mulesoftcloudhubalerts-cl.html +table,mulesoftcloudhublogs-cl,tables/mulesoftcloudhublogs-cl.md,tables/mulesoftcloudhublogs-cl.html,Solutions Docs/tables/mulesoftcloudhublogs-cl.md,Solutions Docs/tables/mulesoftcloudhublogs-cl.html table,mysqlauditlogs,tables/mysqlauditlogs.md,tables/mysqlauditlogs.html,Solutions Docs/tables/mysqlauditlogs.md,Solutions Docs/tables/mysqlauditlogs.html table,mysqlerrorlogs,tables/mysqlerrorlogs.md,tables/mysqlerrorlogs.html,Solutions Docs/tables/mysqlerrorlogs.md,Solutions Docs/tables/mysqlerrorlogs.html table,mysqlslowlogs,tables/mysqlslowlogs.md,tables/mysqlslowlogs.html,Solutions Docs/tables/mysqlslowlogs.md,Solutions Docs/tables/mysqlslowlogs.html @@ -10513,6 +10607,7 @@ table,sqlthreatprotectionloginaudits,tables/sqlthreatprotectionloginaudits.md,ta table,sqlvulnerabilityassessmentresult,tables/sqlvulnerabilityassessmentresult.md,tables/sqlvulnerabilityassessmentresult.html,Solutions Docs/tables/sqlvulnerabilityassessmentresult.md,Solutions Docs/tables/sqlvulnerabilityassessmentresult.html table,sqlvulnerabilityassessmentscanstatus,tables/sqlvulnerabilityassessmentscanstatus.md,tables/sqlvulnerabilityassessmentscanstatus.html,Solutions Docs/tables/sqlvulnerabilityassessmentscanstatus.md,Solutions Docs/tables/sqlvulnerabilityassessmentscanstatus.html table,squidproxy-cl,tables/squidproxy-cl.md,tables/squidproxy-cl.html,Solutions Docs/tables/squidproxy-cl.md,Solutions Docs/tables/squidproxy-cl.html +table,stealthtalkanomalousauth-cl,tables/stealthtalkanomalousauth-cl.md,tables/stealthtalkanomalousauth-cl.html,Solutions Docs/tables/stealthtalkanomalousauth-cl.md,Solutions Docs/tables/stealthtalkanomalousauth-cl.html table,storagebloblogs,tables/storagebloblogs.md,tables/storagebloblogs.html,Solutions Docs/tables/storagebloblogs.md,Solutions Docs/tables/storagebloblogs.html table,storagecacheoperationevents,tables/storagecacheoperationevents.md,tables/storagecacheoperationevents.html,Solutions Docs/tables/storagecacheoperationevents.md,Solutions Docs/tables/storagecacheoperationevents.html table,storagecacheupgradeevents,tables/storagecacheupgradeevents.md,tables/storagecacheupgradeevents.html,Solutions Docs/tables/storagecacheupgradeevents.md,Solutions Docs/tables/storagecacheupgradeevents.html @@ -10647,6 +10742,10 @@ table,ucdoaggregatedstatus,tables/ucdoaggregatedstatus.md,tables/ucdoaggregateds table,ucdostatus,tables/ucdostatus.md,tables/ucdostatus.html,Solutions Docs/tables/ucdostatus.md,Solutions Docs/tables/ucdostatus.html table,ucserviceupdatestatus,tables/ucserviceupdatestatus.md,tables/ucserviceupdatestatus.html,Solutions Docs/tables/ucserviceupdatestatus.md,Solutions Docs/tables/ucserviceupdatestatus.html table,ucupdatealert,tables/ucupdatealert.md,tables/ucupdatealert.html,Solutions Docs/tables/ucupdatealert.md,Solutions Docs/tables/ucupdatealert.html +table,unifi-sitemanager-devices-cl,tables/unifi-sitemanager-devices-cl.md,tables/unifi-sitemanager-devices-cl.html,Solutions Docs/tables/unifi-sitemanager-devices-cl.md,Solutions Docs/tables/unifi-sitemanager-devices-cl.html +table,unifi-sitemanager-hosts-cl,tables/unifi-sitemanager-hosts-cl.md,tables/unifi-sitemanager-hosts-cl.html,Solutions Docs/tables/unifi-sitemanager-hosts-cl.md,Solutions Docs/tables/unifi-sitemanager-hosts-cl.html +table,unifi-sitemanager-ispmetrics-cl,tables/unifi-sitemanager-ispmetrics-cl.md,tables/unifi-sitemanager-ispmetrics-cl.html,Solutions Docs/tables/unifi-sitemanager-ispmetrics-cl.md,Solutions Docs/tables/unifi-sitemanager-ispmetrics-cl.html +table,unifi-sitemanager-sites-cl,tables/unifi-sitemanager-sites-cl.md,tables/unifi-sitemanager-sites-cl.html,Solutions Docs/tables/unifi-sitemanager-sites-cl.md,Solutions Docs/tables/unifi-sitemanager-sites-cl.html table,update,tables/update.md,tables/update.html,Solutions Docs/tables/update.md,Solutions Docs/tables/update.html table,updaterunprogress,tables/updaterunprogress.md,tables/updaterunprogress.html,Solutions Docs/tables/updaterunprogress.md,Solutions Docs/tables/updaterunprogress.html table,updatesummary,tables/updatesummary.md,tables/updatesummary.html,Solutions Docs/tables/updatesummary.md,Solutions Docs/tables/updatesummary.html @@ -10656,6 +10755,7 @@ table,usage,tables/usage.md,tables/usage.html,Solutions Docs/tables/usage.md,Sol table,useraccessanalytics,tables/useraccessanalytics.md,tables/useraccessanalytics.html,Solutions Docs/tables/useraccessanalytics.md,Solutions Docs/tables/useraccessanalytics.html table,userpeeranalytics,tables/userpeeranalytics.md,tables/userpeeranalytics.html,Solutions Docs/tables/userpeeranalytics.md,Solutions Docs/tables/userpeeranalytics.html table,users-cl,tables/users-cl.md,tables/users-cl.html,Solutions Docs/tables/users-cl.md,Solutions Docs/tables/users-cl.html +table,utimacoeskmkmipserverlogs-cl,tables/utimacoeskmkmipserverlogs-cl.md,tables/utimacoeskmkmipserverlogs-cl.html,Solutions Docs/tables/utimacoeskmkmipserverlogs-cl.md,Solutions Docs/tables/utimacoeskmkmipserverlogs-cl.html table,vaikora-agentsignals-cl,tables/vaikora-agentsignals-cl.md,tables/vaikora-agentsignals-cl.html,Solutions Docs/tables/vaikora-agentsignals-cl.md,Solutions Docs/tables/vaikora-agentsignals-cl.html table,vaikora-securityalerts-cl,tables/vaikora-securityalerts-cl.md,tables/vaikora-securityalerts-cl.html,Solutions Docs/tables/vaikora-securityalerts-cl.md,Solutions Docs/tables/vaikora-securityalerts-cl.html table,valencealert-cl,tables/valencealert-cl.md,tables/valencealert-cl.html,Solutions Docs/tables/valencealert-cl.md,Solutions Docs/tables/valencealert-cl.html diff --git a/Tools/Solutions Analyzer/asim_parsers.csv b/Tools/Solutions Analyzer/asim_parsers.csv index 2bc7d590acf..07cc64dade0 100644 --- a/Tools/Solutions Analyzer/asim_parsers.csv +++ b/Tools/Solutions Analyzer/asim_parsers.csv @@ -1,12 +1,13 @@ parser_name,equivalent_builtin,schema,schema_version,parser_type,parser_title,parser_version,parser_last_updated,product_name,description,tables,sub_parsers,parser_params,filter_fields,associated_connectors,associated_solutions,references,source_file,github_url ASimAgentEvent,_ASim_AgentEvent,AgentEvent,0.1.0,union,Agent Event ASIM parser,0.1.0,"Apr 16, 2026",Source agnostic,This ASIM parser supports normalizing Agent Event logs from all supported sources to the ASIM Agent Event normalized schema.,,_Im_AgentEvent_Empty,pack:bool=False,,,,[ASIM Agent Event Schema](https://aka.ms/ASimAgentEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAgentEvent\Parsers\ASimAgentEntity.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAgentEvent/Parsers/ASimAgentEntity.yaml imAgentEvent,_Im_AgentEvent,AgentEvent,0.1.0,union,Agent Event ASIM filtering parser,0.1.0,"Apr 16, 2026",Source agnostic,This ASIM parser supports filtering and normalizing Agent Event logs from all supported sources to the ASIM 'AgentEvent' normalized schema.,,_Im_AgentEvent_Empty,starttime:datetime=datetime(null);endtime:datetime=datetime(null);agentid_has_any:dynamic=dynamic([]);agentname_has_any:dynamic=dynamic([]);username_has_any:dynamic=dynamic([]);pack:bool=False,,,,[ASIM Agent Event Schema](https://aka.ms/ASimAgentEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAgentEvent\Parsers\imAgentEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAgentEvent/Parsers/imAgentEvent.yaml -ASimAlertEvent,_ASim_AlertEvent,AlertEvent,0.1,union,Alert Event ASIM parser,0.1.2,"Apr 22, 2026",Source agnostic,This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema.,,_Im_AlertEvent_Empty;_ASim_AlertEvent_BitdefenderGravityZone;_ASim_AlertEvent_MicrosoftDefenderXDR;_ASim_AlertEvent_SentinelOneSingularity;_ASim_AlertEvent_CiscoSecureEndpoint,pack:bool=False,,,,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\ASimAlertEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml -ASimAlertEventBitdefenderGravityZone,_ASim_AlertEvent_BitdefenderGravityZone,AlertEvent,0.1,source,Alert event ASIM parser for Bitdefender GravityZone,0.1.0,"May 26, 2026",Bitdefender,This ASIM parser supports normalizing the Bitdefender GravityZone logs to the ASIM Alert normalized schema.,GzSecurityEvents_CL,,disabled:bool=False;pack:bool=False,,GravityZoneDataConnector,GravityZone,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\ASimAlertEventBitdefenderGravityZone.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEventBitdefenderGravityZone.yaml +ASimAlertEvent,_ASim_AlertEvent,AlertEvent,0.1,union,Alert Event ASIM parser,0.1.3,"Jun 03, 2026",Source agnostic,This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema.,,_Im_AlertEvent_Empty;_ASim_AlertEvent_BitdefenderGravityZone;_ASim_AlertEvent_MicrosoftDefenderXDR;_ASim_AlertEvent_SentinelOneSingularity;_ASim_AlertEvent_CiscoSecureEndpoint;_ASim_AlertEvent_PaloAltoXDR,pack:bool=False,,,,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\ASimAlertEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml +ASimAlertEventBitdefenderGravityZone,_ASim_AlertEvent_BitdefenderGravityZone,AlertEvent,0.1,source,Alert event ASIM parser for Bitdefender GravityZone,0.1.0,"Jun 08, 2026",Bitdefender,This ASIM parser supports normalizing the Bitdefender GravityZone logs to the ASIM Alert normalized schema.,GzSecurityEvents_CL,,disabled:bool=False;pack:bool=False,,GravityZoneDataConnector,GravityZone,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\ASimAlertEventBitdefenderGravityZone.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEventBitdefenderGravityZone.yaml ASimAlertEventCiscoSecureEndpoint,_ASim_AlertEvent_CiscoSecureEndpoint,AlertEvent,0.1,source,Alert Event ASIM parser for Cisco Secure Endpoint,0.1.0,"Mar 04, 2026",Cisco Secure Endpoint,This ASIM parser supports normalizing the Cisco Secure Endpoint logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.,CiscoSecureEndpointEventsV2_CL,,disabled:bool=False;pack:bool=False,,CiscoSecureEndpointLogsCCPDefinition,Cisco Secure Endpoint,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM);[Developer](https://www.bluevoyant.com/),Parsers\ASimAlertEvent\Parsers\ASimAlertEventCiscoSecureEndpoint.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEventCiscoSecureEndpoint.yaml ASimAlertEventMicrosoftDefenderXDR,_ASim_AlertEvent_MicrosoftDefenderXDR,AlertEvent,0.1,source,Alert Event ASIM parser for Microsoft Defender XDR,0.2.0,"Jan 09, 2026",Microsoft Defender XDR,This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema.,AlertEvidence,,disabled:bool=False,,,,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\ASimAlertEventMicrosoftDefenderXDR.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml +ASimAlertEventPaloAltoXDR,_ASim_AlertEvent_PaloAltoXDR,AlertEvent,0.1,source,Alert Event ASIM parser for Palo Alto XDR,0.1.0,"Jun 04, 2026",Palo Alto XDR,This ASIM parser supports normalizing the Palo Alto XDR logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.,PaloAltoCortexXDR_Alerts_CL,,disabled:bool=False;pack:bool=False,,CortexXDRDataConnector,Cortex XDR,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM);[Developer](https://www.bluevoyant.com/),Parsers\ASimAlertEvent\Parsers\ASimAlertEventPaloAltoXDR.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEventPaloAltoXDR.yaml ASimAlertEventSentinelOneSingularity,_ASim_AlertEvent_SentinelOneSingularity,AlertEvent,0.1,source,Alert Event ASIM parser for SentinelOne Singularity platform,0.1.0,"Oct 09, 2024",SentinelOne,This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema.,SentinelOne_CL,,disabled:bool=False,,SentinelOne,SentinelOne,[ASIM Alert Event Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\ASimAlertEventSentinelOneSingularity.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml -imAlertEvent,_Im_AlertEvent,AlertEvent,0.1,union,Alert Event ASIM filtering parser,0.1.2,"Apr 22, 2026",Source agnostic,This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema.,,_Im_AlertEvent_Empty;_Im_AlertEvent_BitdefenderGravityZone;_Im_AlertEvent_MicrosoftDefenderXDR;_Im_AlertEvent_SentinelOneSingularity;_Im_AlertEvent_CiscoSecureEndpoint,starttime:datetime=datetime(null);endtime:datetime=datetime(null);ipaddr_has_any_prefix:dynamic=dynamic([]);hostname_has_any:dynamic=dynamic([]);username_has_any:dynamic=dynamic([]);attacktactics_has_any:dynamic=dynamic([]);attacktechniques_has_any:dynamic=dynamic([]);threatcategory_has_any:dynamic=dynamic([]);alertverdict_has_any:dynamic=dynamic([]);eventseverity_has_any:dynamic=dynamic([]);pack:bool=False,,,,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\imAlertEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml +imAlertEvent,_Im_AlertEvent,AlertEvent,0.1,union,Alert Event ASIM filtering parser,0.1.3,"Jun 03, 2026",Source agnostic,This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema.,,_Im_AlertEvent_Empty;_Im_AlertEvent_BitdefenderGravityZone;_Im_AlertEvent_MicrosoftDefenderXDR;_Im_AlertEvent_SentinelOneSingularity;_Im_AlertEvent_CiscoSecureEndpoint;_Im_AlertEvent_PaloAltoXDR,starttime:datetime=datetime(null);endtime:datetime=datetime(null);ipaddr_has_any_prefix:dynamic=dynamic([]);hostname_has_any:dynamic=dynamic([]);username_has_any:dynamic=dynamic([]);attacktactics_has_any:dynamic=dynamic([]);attacktechniques_has_any:dynamic=dynamic([]);threatcategory_has_any:dynamic=dynamic([]);alertverdict_has_any:dynamic=dynamic([]);eventseverity_has_any:dynamic=dynamic([]);pack:bool=False,,,,[ASIM Alert Schema](https://aka.ms/ASimAlertEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAlertEvent\Parsers\imAlertEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml ASimAssetEntity,_ASim_AssetEntity,AssetEntity,0.1.0,union,Asset Entity ASIM parser,0.1.0,"Mar 03, 2026",Source agnostic,This ASIM parser supports normalizing Asset Entity logs from all supported sources to the ASIM Asset Entity normalized schema.,,_Im_AssetEntity_Empty,pack:bool=False,,,,[ASIM Asset Entity Schema](https://aka.ms/ASimAssetEntityDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAssetEntity\Parsers\ASimAssetEntity.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAssetEntity/Parsers/ASimAssetEntity.yaml imAssetEntity,_Im_AssetEntity,AssetEntity,0.1.0,union,Asset Entity ASIM filtering parser,0.1.0,"Mar 03, 2026",Source agnostic,This ASIM parser supports filtering and normalizing Asset Entity logs from all supported sources to the ASIM 'AssetEntity' normalized schema.,,_Im_AssetEntity_Empty,starttime:datetime=datetime(null);endtime:datetime=datetime(null);entityid_has_any:dynamic=dynamic([]);entityname_has_any:dynamic=dynamic([]);assettype_in:string=*;path_has_any:dynamic=dynamic([]);assetowner_has_any:dynamic=dynamic([]);entitysource_has_any:dynamic=dynamic([]);pack:bool=False,,,,[ASIM Asset Entity Schema](https://aka.ms/ASimAssetEntityDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAssetEntity\Parsers\imAssetEntity.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAssetEntity/Parsers/imAssetEntity.yaml ASimAuditEvent,_ASim_AuditEvent,AuditEvent,0.1,union,Audit event ASIM parser,0.1.7,"March 10, 2026",Source agnostic,This ASIM parser supports normalizing audit events from all supported sources to the ASIM Audit Event activity normalized schema.,,_Im_AuditEvent_Empty;_ASim_AuditEvent_MicrosoftExchangeAdmin365;_ASim_AuditEvent_AWSCloudTrail;_ASim_AuditEvent_AzureActivity;_ASim_AuditEvent_AzureKeyVault;_ASim_AuditEvent_MicrosoftWindowsEvents;_ASim_AuditEvent_MicrosoftSecurityEvents;_ASim_AuditEvent_MicrosoftEvent;_ASim_AuditEvent_CiscoISE;_ASim_AuditEvent_CiscoMeraki;_ASim_AuditEvent_CiscoMerakiSyslog;_ASim_AuditEvent_BarracudaWAF;_ASim_AuditEvent_BarracudaCEF;_ASim_AuditEvent_CrowdStrikeFalconHost;_ASim_AuditEvent_VectraXDRAudit;_ASim_AuditEvent_SentinelOne;_ASim_AuditEvent_VMwareCarbonBlackCloud;_ASim_AuditEvent_InfobloxBloxOne;_ASim_AuditEvent_IllumioSaaSCore;_ASim_AuditEvent_Native;_ASim_AuditEvent_SQLSecurityAudit,pack:bool=False,,,,[ASIM Audit Event Schema](https://aka.ms/ASimAuditEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimAuditEvent\Parsers\ASimAuditEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -92,7 +93,7 @@ ASimDnsVectraAI,_ASim_Dns_VectraAI,Dns,0.1.3,source,DNS ASIM parser for Vectra A ASimDnsZscalerZIA,_ASim_Dns_ZscalerZIA,Dns,0.1.3,source,DNS activity ASIM parser for Zscaler ZIA,0.6,Feb 19 2023,Zscaler ZIA DNS,This ASIM parser supports normalizing Zscaler ZIA DNS logs to the ASIM Dns normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceProduct == ""NSSDNSlog""","CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, VirtualMetric DataStream",[ASIM DNS Schema](https://aka.ms/ASimDnsDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimDns\Parsers\ASimDnsZscalerZIA.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsZscalerZIA.yaml imDns,_Im_Dns,Dns,0.1.7,union,DNS activity ASIM filtering parser.,0.5.2,"June 7, 2024",Source agnostic,This ASIM parser supports filtering and normalizing DNS activity logs from all supported sources to the ASIM DNS activity normalized schema.,,_Im_Dns_Empty;_Im_Dns_AzureFirewall;_Im_Dns_CiscoUmbrella;_Im_Dns_CorelightZeek;_Im_Dns_FortinetFortiGate;_Im_Dns_Gcp;_Im_Dns_InfobloxNIOS;_Im_Dns_MicrosoftNXlog;_Im_Dns_MicrosoftOMS;_Im_Dns_MicrosoftSysmon;_Im_Dns_MicrosoftSysmonWindowsEvent;_Im_Dns_Native;_Im_Dns_SentinelOne;_Im_Dns_VectraAI;_Im_Dns_ZscalerZIA;_Im_Dns_InfobloxBloxOne,starttime:datetime=datetime(null);endtime:datetime=datetime(null);srcipaddr:string=*;domain_has_any:dynamic=dynamic([]);responsecodename:string=*;response_has_ipv4:string=*;response_has_any_prefix:dynamic=dynamic([]);eventtype:string=lookup;pack:bool=False,,,,[ASIM DNS Schema](https://aka.ms/ASimDnsDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimDns\Parsers\imDns.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/imDns.yaml ASimFileEvent,_ASim_FileEvent,FileEvent,0.2.1,union,File event ASIM parser,0.1.4,"Jun 6, 2024",Source agnostic,This ASIM parser supports normalizing File activity logs from all supported sources to the ASIM File Event normalized schema.,,_Im_FileEvent_Empty;_ASim_FileEvent_LinuxSysmonFileCreated;_ASim_FileEvent_LinuxSysmonFileDeleted;_ASim_FileEvent_AzureBlobStorage;_ASim_FileEvent_Microsoft365D;_ASim_FileEvent_AzureFileStorage;_ASim_FileEvent_AzureQueueStorage;_ASim_FileEvent_MicrosoftSharePoint;_ASim_FileEvent_MicrosoftSysmon;_ASim_FileEvent_MicrosoftSysmonWindowsEvent;_ASim_FileEvent_AzureTableStorage;_ASim_FileEvent_MicrosoftWindowsEvents;_ASim_FileEvent_MicrosoftSecurityEvents;_ASim_FileEvent_Native;_ASim_FileEvent_SentinelOne;_ASim_FileEvent_VMwareCarbonBlackCloud;_ASim_FileEvent_GoogleWorkspace;_ASim_FileEvent_AWSCloudTrail,pack:bool=False,,,,[ASIM File Event Schema](https://aka.ms/ASimFileEventDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimFileEvent\Parsers\ASimFileEvent.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml -ASimFileEventAWSCloudTrail,_ASim_FileEvent_AWSCloudTrail,FileEvent,0.2.2,source,FileEvent ASIM parser for AWS Cloud Trail,0.1.0,"Feb 04, 2026",AWS Cloud Trail,This ASIM parser supports normalizing file activity in AWS Cloud Trail for the following event sources: (s3.amazonaws.com),AWSCloudTrail,,disabled:bool=False;pack:bool=False,"AWSCloudTrail.EventSource == ""s3.amazonaws.com"" | _Computed.type in ""AWS::S3::Bucket,AWS::S3::Object""",AWS,Amazon Web Services,[ASIM User Management Schema](https://aka.ms/ASimFileEventDoc);[ASIM](https://aka.ms/AboutASIM);[File Event (S3) Documentation in AWS CloudTrail logs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html),Parsers\ASimFileEvent\Parsers\ASimFileEventAWSCloudTrail.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml +ASimFileEventAWSCloudTrail,_ASim_FileEvent_AWSCloudTrail,FileEvent,0.2.2,source,FileEvent ASIM parser for AWS Cloud Trail,0.1.0,"Feb 04, 2026",AWS Cloud Trail,This ASIM parser supports normalizing file activity in AWS Cloud Trail for the following event sources: (s3.amazonaws.com),AWSCloudTrail,,disabled:bool=False;pack:bool=False,"AWSCloudTrail.EventSource == ""s3.amazonaws.com"" | _Computed.Type in ""AWS::S3::Bucket,AWS::S3::Object""",AWS,Amazon Web Services,[ASIM User Management Schema](https://aka.ms/ASimFileEventDoc);[ASIM](https://aka.ms/AboutASIM);[File Event (S3) Documentation in AWS CloudTrail logs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html),Parsers\ASimFileEvent\Parsers\ASimFileEventAWSCloudTrail.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml ASimFileEventAzureBlobStorage,_ASim_FileEvent_AzureBlobStorage,FileEvent,0.1.0,source,File Activity ASIM parser for Azure Blob Storage,0.1.1,"Nov 03, 2023",Microsoft Azure Blob Storage,"This ASIM parser supports normalizing Azure Blob Storage events, stored in the StorageBlobLogs table, to the ASIM file activity schema.",StorageBlobLogs,,disabled:bool=False,"_Computed.StatusText == ""Success""",AzureStorageAccount,Azure Storage,[ASIM File Schema](https://aka.ms/ASimFileEventDoc);[ASIM](https://aka.ms/AboutASIM);[Storage Analytics log format](https://docs.microsoft.comrest/api/storageservices/storage-analytics-log-format),Parsers\ASimFileEvent\Parsers\ASimFileEventAzureBlobStorage.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/ASimFileEventAzureBlobStorage.yaml ASimFileEventAzureFileStorage,_ASim_FileEvent_AzureFileStorage,FileEvent,0.2.1,source,File Activity ASIM parser for Azure File Storage,0.1.1,"Nov 01, 2023",Microsoft Azure File Storage,"This ASIM parser supports normalizing Azure File Storage events, stored in the StorageFileLogs table, to the ASIM file activity schema.",StorageFileLogs,,disabled:bool=False,"_Computed.StatusText == ""Success""",AzureStorageAccount,Azure Storage,[ASIM File Schema](https://aka.ms/ASimFileEventDoc);[ASIM](https://aka.ms/AboutASIM);[Storage Analytics log format](https://docs.microsoft.comrest/api/storageservices/storage-analytics-log-format),Parsers\ASimFileEvent\Parsers\ASimFileEventAzureFileStorage.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/ASimFileEventAzureFileStorage.yaml ASimFileEventAzureQueueStorage,_ASim_FileEvent_AzureQueueStorage,FileEvent,0.1.0,source,File Activity ASIM parser for Azure Queue Storage,0.1.1,"Nov 03, 2023",Microsoft Azure Queue Storage,"This ASIM parser supports normalizing Azure Queue Storage events, stored in the StorageQueueLogs table, to the ASIM file activity schema.",StorageQueueLogs,,disabled:bool=False,"_Computed.StatusText == ""Success""",AzureStorageAccount,Azure Storage,[ASIM File Schema](https://aka.ms/ASimFileEventDoc);[ASIM](https://aka.ms/AboutASIM);[Storage Analytics log format](https://docs.microsoft.comrest/api/storageservices/storage-analytics-log-format),Parsers\ASimFileEvent\Parsers\ASimFileEventAzureQueueStorage.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/ASimFileEventAzureQueueStorage.yaml @@ -125,7 +126,7 @@ ASimNetworkSessionCiscoISE,_ASim_NetworkSession_CiscoISE,NetworkSession,0.2.6,so ASimNetworkSessionCiscoMeraki,_ASim_NetworkSession_CiscoMeraki,NetworkSession,0.2.6,source,Network Session ASIM parser for Cisco Meraki,1.2.2,"Jun 26, 2025",Cisco Meraki,"This ASIM parser supports normalizing Cisco Meraki logs ingested in 'meraki_CL' table to the ASIM Network Session normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.",meraki_CL,,disabled:bool=False,"_Computed.EventResult == ""Failure"" | _Computed.temp_srcipport has "".""",CustomlogsviaAMA,CustomLogsAma,[ASIM Network Session Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Cisco Meraki Documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionCiscoMeraki.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoMeraki.yaml ASimNetworkSessionCiscoMerakiSyslog,_ASim_NetworkSession_CiscoMerakiSyslog,NetworkSession,0.2.6,source,Network Session ASIM parser for Cisco Meraki,1.2.2,"Nov 23, 2025",Cisco Meraki,"This ASIM parser supports normalizing Cisco Meraki logs ingested in 'Syslog' to the ASIM Network Session normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.",Syslog,,disabled:bool=False,"Syslog.Computer == ""CiscoMeraki""",SyslogAma,Syslog,[ASIM Network Session Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Cisco Meraki Documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionCiscoMerakiSyslog.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoMerakiSyslog.yaml ASimNetworkSessionCorelightZeek,_ASim_NetworkSession_CorelightZeek,NetworkSession,0.2.4,source,Network Session ASIM parser for Corelight Zeek,0.2,Dec 11 2022,Corelight Zeek,This ASIM parser supports normalizing Corelight Zeek Connection logs to the ASIM Network Session normalized schema.,Corelight_CL,,disabled:bool=False,,CorelightConnectorExporter,Corelight,[ASIM Network Session Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https:/aka.ms/AboutASIM),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionCorelightZeek.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCorelightZeek.yaml -ASimNetworkSessionCrowdStrikeFalconHost,_ASim_NetworkSession_CrowdStrikeFalconHost,NetworkSession,0.2.6,source,NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection,0.1.0,"Oct 26, 2023",CrowdStrike Falcon Endpoint Protection,This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Network Session normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceEventClassID in ""FirewallMatchEvent,Network Access In A Detection Summary Event"" | CommonSecurityLog.DeviceEventClassID has ""Network Access In A Detection Summary Event"" | CommonSecurityLog.DeviceProduct == ""FalconHost"" | CommonSecurityLog.DeviceVendor == ""CrowdStrike"" | _Computed.DstIpAddr contains ""."" | _Computed.DstIpAddr contains "":"" | _Computed.Hostname matchesregex ""(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))"" | _Computed.connectionDirection in ""1,2""","CefAma, CrowdStrikeFalconEndpointProtection, CrowdStrikeFalconEndpointProtectionAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, CrowdStrike Falcon Endpoint Protection, VirtualMetric DataStream",[ASIM NetworkSession Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[CrowdStrike Falcon Endpoint Protection Documentation](https://falcon.us-2.crowdstrike.com/documentation/page/d88d9ed6/streaming-api-event-dictionary https://falcon.us-2.crowdstrike.com/documentation/page/d88d9ed6/streaming-api-event-dictionary#x9b9e3b3 https://falcon.us-2.crowdstrike.com/documentation/page/e3ce0b24/events-data-dictionary#AssociateIndicator https://falcon.us-2.crowdstrike.com/documentation/page/eb1587d1/siem-connector#mc98af8f),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionCrowdStrikeFalconHost.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCrowdStrikeFalconHost.yaml +ASimNetworkSessionCrowdStrikeFalconHost,_ASim_NetworkSession_CrowdStrikeFalconHost,NetworkSession,0.2.6,source,NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection,0.1.0,"Oct 26, 2023",CrowdStrike Falcon Endpoint Protection,This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Network Session normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceEventClassID in ""FirewallMatchEvent,Network Access In A Detection Summary Event"" | CommonSecurityLog.DeviceEventClassID has ""Network Access In A Detection Summary Event"" | CommonSecurityLog.DeviceProduct == ""FalconHost"" | CommonSecurityLog.DeviceVendor == ""CrowdStrike"" | _Computed.DstIpAddr contains ""."" | _Computed.DstIpAddr contains "":"" | _Computed.connectionDirection in ""1,2"" | _Computed.hostName matchesregex ""(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))""","CefAma, CrowdStrikeFalconEndpointProtection, CrowdStrikeFalconEndpointProtectionAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, CrowdStrike Falcon Endpoint Protection, VirtualMetric DataStream",[ASIM NetworkSession Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[CrowdStrike Falcon Endpoint Protection Documentation](https://falcon.us-2.crowdstrike.com/documentation/page/d88d9ed6/streaming-api-event-dictionary https://falcon.us-2.crowdstrike.com/documentation/page/d88d9ed6/streaming-api-event-dictionary#x9b9e3b3 https://falcon.us-2.crowdstrike.com/documentation/page/e3ce0b24/events-data-dictionary#AssociateIndicator https://falcon.us-2.crowdstrike.com/documentation/page/eb1587d1/siem-connector#mc98af8f),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionCrowdStrikeFalconHost.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCrowdStrikeFalconHost.yaml ASimNetworkSessionForcePointFirewall,_ASim_NetworkSession_ForcePointFirewall,NetworkSession,0.2.6,source,Network Session ASIM parser for Force Point Firewall,0.1,"March 17, 2022",ForcePointFirewall,This ASIM parser supports normalizing Force Point Firewall logs coming from CEF Data Connector to the ASIM Network Session normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.ApplicationProtocol startswith ""TCP"" | CommonSecurityLog.ApplicationProtocol startswith ""UDP"" | CommonSecurityLog.DestinationServiceName in~ ""Application-Unknown,Generic-Web-HTTP,Unknown-Encrypted-Application"" | CommonSecurityLog.DeviceEventClassID in ""70734,76508,76509"" | CommonSecurityLog.DeviceEventClassID != ""0"" | CommonSecurityLog.DeviceEventClassID !in ""70383,70393,70734,71009,71040"" | CommonSecurityLog.DeviceProduct == ""Firewall"" | CommonSecurityLog.DeviceVendor == ""FORCEPOINT"" | CommonSecurityLog.RequestMethod != ""UNKNOWN""","CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, VirtualMetric DataStream",[ASIM Network Session Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Field Description in Force Point Logs](https://help.stonesoft.com/onlinehelp/StoneGate/SMC/6.8.0/GUID-DA3B3807-18E1-482B-A5E8-A8BD468E5BB0.html),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionForcePointFirewall.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionForcePointFirewall.yaml ASimNetworkSessionFortinetFortiGate,_ASim_NetworkSession_FortinetFortiGate,NetworkSession,0.2.6,source,Network Session ASIM parser for Fortinet FortiGate,0.6.0,"Nov 11, 2025",Fortinet FortiGate,This ASIM parser supports normalizing Fortinet FortiGate logs to the ASIM Web Session normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceProduct startswith ""FortiGate"" | CommonSecurityLog.DeviceVendor == ""Fortinet"" | _Computed.EventResult == ""Success"" | _Computed._UtmAction == ""allow""","CefAma, Fortinet, FortinetAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel, VirtualMetric DataStream",[ASIM Network Session Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionFortinetFortiGate.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionFortinetFortiGate.yaml ASimNetworkSessionIllumioSaaSCore,_ASim_NetworkSession_IllumioSaaSCore,NetworkSession,0.2.6,source,NetworkSession ASIM Parser for Illumio SaaS Core,0.1.0,"Aug 21, 2024",Illumio SaaS Core,This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector.,Illumio_Flow_Events_CL,,disabled:bool=False,,IllumioSaaSDataConnector,IllumioSaaS,[ASIM Network Session Schema](https://aka.ms/ASimNetworkSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Illumio SaaS Core Documentation](https://docs.illumio.com/core/24.1/Content/Guides/events-administration/events-described/list-of-event-types.htm),Parsers\ASimNetworkSession\Parsers\ASimNetworkSessionIllumioSaaSCore.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionIllumioSaaSCore.yaml @@ -192,13 +193,13 @@ ASimUserManagementMicrosoftWindowsEvent,_ASim_UserManagement_MicrosoftWindowsEve ASimUserManagementNative,_ASim_UserManagement_Native,UserManagement,0.1.1,source,User Management activity ASIM parser for Microsoft Sentinel native User Management activity table,0.1.0,Mar 07 2024,Native,"This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.",ASimUserManagementActivityLogs,,disabled:bool=False,,SynqlyIntegrationConnector,SynqlyIntegrationConnector,[ASIM User Management Schema](https://aka.ms/ASimUserManagementDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimUserManagement\Parsers\ASimUserManagementNative.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml ASimUserManagementSentinelOne,_ASim_UserManagement_SentinelOne,UserManagement,0.1.1,source,User Management ASIM parser for SentinelOne,0.1.1,"Nov 07, 2023",SentinelOne,"This ASIM parser supports normalizing SentinelOne logs to the ASIM User Management normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.",SentinelOne_CL,,disabled:bool=False,,SentinelOne,SentinelOne,[ASIM UserManagement Schema](https://aka.ms/ASimUserManagementDoc);[ASIM](https://aka.ms/AboutASIM);https://.sentinelone.net/api-doc/overview,Parsers\ASimUserManagement\Parsers\ASimUserManagementSentinelOne.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml imUserManagement,_Im_UserManagement,UserManagement,0.1,union,User Management ASIM filtering parser,0.1.3,"May 30, 2024",Source agnostic,This ASIM parser supports normalizing User Management logs from all supported sources to the ASIM User Management normalized schema.,,_Im_UserManagement_Empty;_Im_UserManagement_AWSCloudTrail;_Im_UserManagement_CiscoISE;_Im_UserManagement_LinuxAuthpriv;_Im_UserManagement_MicrosoftWindowsEvent;_Im_UserManagement_MicrosoftSecurityEvent;_Im_UserManagement_SentinelOne;_Im_UserManagement_Native,starttime:datetime=datetime(null);endtime:datetime=datetime(null);srcipaddr_has_any_prefix:dynamic=dynamic([]);targetusername_has_any:dynamic=dynamic([]);actorusername_has_any:dynamic=dynamic([]);eventtype_in:dynamic=dynamic([]);pack:bool=False,,,,[ASIM UserManagement Schema](https://aka.ms/ASimUserManagementDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimUserManagement\Parsers\imUserManagement.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml -ASimWebSession,_ASim_WebSession,WebSession,0.2.7,union,Web Session ASIM parser,0.5.5,"Mar 24, 2026",Source agnostic,This ASIM parser supports normalizing Web Session logs from all supported sources to the ASIM Web Session normalized schema.,,_Im_WebSession_Empty;_ASim_WebSession_SquidProxy;_ASim_WebSession_ZscalerZIA;_ASim_WebSession_VectraAI;_ASim_WebSession_Native;_ASim_WebSession_IIS;_ASim_WebSession_PaloAltoCEF;_ASim_WebSession_ApacheHTTPServer;_ASim_WebSession_FortinetFortiGate;_ASim_WebSession_CiscoMeraki;_ASim_WebSession_BarracudaWAF;_ASim_WebSession_BarracudaCEF;_ASim_WebSession_CitrixNetScaler;_ASim_WebSession_CiscoFirepower;_ASim_WebSession_F5ASM;_ASim_WebSession_PaloAltoCortexDataLake;_ASim_WebSession_SonicWallFirewall;_ASim_WebSession_AzureFirewall;_ASim_WebSession_CiscoUmbrella,pack:bool=False,,,,[ASIM WebSession Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimWebSession\Parsers\ASimWebSession.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSession.yaml +ASimWebSession,_ASim_WebSession,WebSession,0.2.7,union,Web Session ASIM parser,0.5.6,"Jun 05, 2026",Source agnostic,This ASIM parser supports normalizing Web Session logs from all supported sources to the ASIM Web Session normalized schema.,,_Im_WebSession_Empty;_ASim_WebSession_SquidProxy;_ASim_WebSession_ZscalerZIA;_ASim_WebSession_VectraAI;_ASim_WebSession_Native;_ASim_WebSession_IIS;_ASim_WebSession_PaloAltoCEF;_ASim_WebSession_ApacheHTTPServer;_ASim_WebSession_FortinetFortiGate;_ASim_WebSession_CiscoMeraki;_ASim_WebSession_BarracudaWAF;_ASim_WebSession_BarracudaCEF;_ASim_WebSession_CitrixNetScaler;_ASim_WebSession_CiscoFirepower;_ASim_WebSession_F5ASM;_ASim_WebSession_PaloAltoCortexDataLake;_ASim_WebSession_SonicWallFirewall;_ASim_WebSession_AzureFirewall;_ASim_WebSession_CiscoUmbrella;_ASim_WebSession_SalesforceServiceCloudV2,pack:bool=False,,,,[ASIM WebSession Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimWebSession\Parsers\ASimWebSession.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSession.yaml ASimWebSessionApacheHTTPServer,_ASim_WebSession_ApacheHTTPServer,WebSession,0.2.6,source,Web Session ASIM parser for Apache HTTP Server,0.1.0,"Jun 19, 2023",Apache HTTP Server,This ASIM parser supports filtering and normalizing Apache HTTP Server logs produced by the Microsoft Sentinel Apache connector to the ASIM Web Session normalized schema.,ApacheHTTPServer_CL,,disabled:bool=False,,"ApacheHTTPServer, CustomlogsviaAMA","ApacheHTTPServer, CustomLogsAma",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[Apache HTTP Server](https://httpd.apache.org/docs/2.4/logs.html),Parsers\ASimWebSession\Parsers\ASimWebSessionApacheHTTPServer.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionApacheHTTPServer.yaml ASimWebSessionAzureFirewall,_ASim_WebSession_AzureFirewall,WebSession,0.2.6,source,Web Session ASIM parser for Azure Firewall,0.1.0,"Dec 3, 2025",Azure Firewall,This ASIM parser supports normalizing Azure Firewall logs to the ASIM Web Session normalized schema.,AZFWApplicationRule,,disabled:bool=False,,,,[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimWebSession\Parsers\ASimWebSessionAzureFirewall.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionAzureFirewall.yaml ASimWebSessionBarracudaCEF,_ASim_WebSession_BarracudaCEF,WebSession,0.2.6,source,Web Session ASIM parser for Barracuda CEF,0.2.1,"Jun 18, 2024",Barracuda WAF,This ASIM parser supports normalizing the Barracuda WAF logs ingested in 'CommonSecurityLog' table to the ASIM Web Session normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceProduct in ""WAAS,WAF"" | CommonSecurityLog.DeviceVendor startswith ""Barracuda""","Barracuda, CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Barracuda WAF, Common Event Format, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Logs type Description in Barracuda WAF](https://campus.barracuda.com/product/webapplicationfirewall/doc/78810008/types-of-logs/),Parsers\ASimWebSession\Parsers\ASimWebSessionBarracudaCEF.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionBarracudaCEF.yaml ASimWebSessionBarracudaWAF,_ASim_WebSession_BarracudaWAF,WebSession,0.2.6,source,Web Session ASIM parser for Barracuda WAF,0.2.2,"Jun 26, 2025",Barracuda WAF,This ASIM parser supports normalizing the Barracuda WAF logs ingested in 'barracuda_CL' table to the ASIM Web Session normalized schema.,barracuda_CL,,disabled:bool=False,,,,[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Logs type Description in Barracuda WAF](https://campus.barracuda.com/product/webapplicationfirewall/doc/78810008/types-of-logs/),Parsers\ASimWebSession\Parsers\ASimWebSessionBarracudaWAF.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionBarracudaWAF.yaml ASimWebSessionCiscoFirepower,_ASim_WebSession_CiscoFirepower,WebSession,0.2.6,source,Web Session ASIM parser for Cisco Firepower,0.1.0,Oct 30 2023,Cisco Firepower,This ASIM parser supports normalizing commonly used Cisco Firepower messages collected using the CEF Data Connector to the ASIM WebSession normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceEventClassID in ""File:500:1,FileMalware:502:1,FireAMP:125:1"" | CommonSecurityLog.DeviceEventClassID has ""File:500:1"" | CommonSecurityLog.DeviceEventClassID has ""FileMalware:502:1"" | CommonSecurityLog.DeviceProduct == ""Firepower"" | CommonSecurityLog.DeviceVendor == ""Cisco"" | _Computed.Disposition =~ ""Malware"" | _Computed.Disposition !~ ""Malware"" | _Computed.DstIpAddr has ""."" | _Computed.DstIpAddr has "":"" | _Computed.DvcAction in ""Allow,Deny""","CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[Cisco Firepower Documentation](https://github.com/CiscoSecurity/fp-05-firepower-cli/tree/master/estreamer https://www.cisco.com/c/en/us/td/docs/security/firepower/620/api/eStreamer/EventStreamerIntegrationGuide/IS-DCRecords.html#88027 https://www.cisco.com/c/en/us/td/docs/security/firepower/620/api/eStreamer/EventStreamerIntegrationGuide/IS-DCRecords.html#84248),Parsers\ASimWebSession\Parsers\ASimWebSessionCiscoFirepower.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionCiscoFirepower.yaml -ASimWebSessionCiscoMeraki,_ASim_WebSession_CiscoMeraki,WebSession,0.2.6,source,Web Session ASIM filtering parser for Cisco Meraki,0.1.1,"Nov 13, 2025",Cisco Meraki,"This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Web Session normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.",Syslog;meraki_CL,,disabled:bool=False,"_Computed.DvcAction in ""Allow,Deny"" | _Computed.LogType == ""urls"" | _Computed.disposition == ""malicious"" | _Computed.dst has ""."" | _Computed.src has "".""","CiscoSDWAN, CiscoUCS, CitrixADC, CustomlogsviaAMA, Forescout, RSASecurIDAM, WatchguardFirebox","Cisco SD-WAN, Cisco UCS, Citrix ADC, CustomLogsAma, Forescout (Legacy), RSA SecurID, Watchguard Firebox",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Cisco Meraki Documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples),Parsers\ASimWebSession\Parsers\ASimWebSessionCiscoMeraki.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionCiscoMeraki.yaml +ASimWebSessionCiscoMeraki,_ASim_WebSession_CiscoMeraki,WebSession,0.2.6,source,Web Session ASIM filtering parser for Cisco Meraki,0.1.1,"Nov 13, 2025",Cisco Meraki,"This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Web Session normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.",Syslog;meraki_CL,,disabled:bool=False,"_Computed.DvcAction in ""Allow,Deny"" | _Computed.LogType == ""urls"" | _Computed.Src has ""."" | _Computed.disposition == ""malicious"" | _Computed.dst has "".""","CiscoSDWAN, CiscoUCS, CitrixADC, CustomlogsviaAMA, Forescout, RSASecurIDAM, WatchguardFirebox","Cisco SD-WAN, Cisco UCS, Citrix ADC, CustomLogsAma, Forescout (Legacy), RSA SecurID, Watchguard Firebox",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Cisco Meraki Documentation](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Event_Types_and_Log_Samples),Parsers\ASimWebSession\Parsers\ASimWebSessionCiscoMeraki.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionCiscoMeraki.yaml ASimWebSessionCiscoUmbrella,_ASim_WebSession_CiscoUmbrella,WebSession,0.2.7,source,Web Session ASIM parser for Cisco Umbrella Proxy Logs,0.1.0,"Mar 24, 2026",Cisco Umbrella,This ASIM parser supports normalizing Cisco Umbrella proxy logs to the ASIM Web Session normalized schema.,Cisco_Umbrella_proxy_CL,,disabled:bool=False;pack:bool=False,,"CiscoUmbrellaDataConnector, CiscoUmbrellaDataConnectorelasticpremium",CiscoUmbrella,[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Cisco Umbrella Documentation](https://securitydocs.cisco.com/docs/umbrella-dns/olh/147416.dita),Parsers\ASimWebSession\Parsers\ASimWebSessionCiscoUmbrella.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionCiscoUmbrella.yaml ASimWebSessionCitrixNetScaler,_ASim_WebSession_CitrixNetScaler,WebSession,0.2.6,source,Web Session ASIM parser for Citrix NetScaler(Web App Firewall),0.1.1,"Jun 26, 2025",Citrix NetScaler,This ASIM parser supports normalizing Citrix NetScaler WAF(Web Application Firewall) logs to the ASIM Web Session normalized schema. Citrix NetScaler WAF(Web Application Firewall) events are captured through Citrix WAF (Web App Firewall) data connector which ingests web attack logs into Microsoft Sentinel in CEF format via Syslog.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceEventClassID == ""APPFW"" | CommonSecurityLog.DeviceProduct == ""NetScaler"" | CommonSecurityLog.DeviceVendor == ""Citrix"" | _Computed.Computer matchesregex ""(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))"" | _Computed.host matchesregex ""(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))""","CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Citrix NetScaler WAF Documentation](https://support.citrix.com/article/CTX136146/common-event-format-cef-logging-support-in-the-application-firewall https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/logs https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/xml-protections/xml-cross-site-scripting-check),Parsers\ASimWebSession\Parsers\ASimWebSessionCitrixNetScaler.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionCitrixNetScaler.yaml ASimWebSessionF5ASM,_ASim_WebSession_F5ASM,WebSession,0.2.6,source,Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM),0.1.0,Dec 04 2023,F5 BIG-IP Application Security Manager (ASM),This ASIM parser supports normalizing F5 Big IP ASM(Application Security Manager) logs to the ASIM Web Session normalized schema. F5 Big IP ASM events are captured through F5 Network data connector which ingests attack events and data into Microsoft Sentinel in CEF format over Syslog using F5's technology partner Arcsight.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceProduct == ""ASM"" | CommonSecurityLog.DeviceVendor == ""F5""","CefAma, F5, F5Ama, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, F5 Networks, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[F5 Big IP ASM Documentation](https://techdocs.f5.com/en-us/bigip-15-0-0/external-monitoring-of-big-ip-systems-implementations/event-messages-and-attack-types.html https://docplayer.net/9349757-Common-event-format-configuration-guide.html),Parsers\ASimWebSession\Parsers\ASimWebSessionF5ASM.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionF5ASM.yaml @@ -207,8 +208,9 @@ ASimWebSessionIIS,_ASim_WebSession_IIS,WebSession,0.2.6,source,Web Session ASIM ASimWebSessionNative,_ASim_WebSession_Native,WebSession,0.2.5,source,Web Session ASIM parser for Microsoft Sentinel native Network Session table,0.1,Jan 5 2023,Native,"This ASIM parser supports normalizing the native Microsoft Sentinel Web Session table (ASimWebSessionLogs) to the ASIM WebSession normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.",ASimWebSessionLogs,,disabled:bool=False,"ASimWebSessionLogs.EventType in ""EndpointNetworkSession,HTTPSession""",SynqlyIntegrationConnector,SynqlyIntegrationConnector,[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM),Parsers\ASimWebSession\Parsers\ASimWebSessionNative.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionNative.yaml ASimWebSessionPaloAltoCEF,_ASim_WebSession_PaloAltoCEF,WebSession,0.2.5,source,Web Session ASIM parser for Palo Alto Networks URL Filtering,0.2,Mar 12 2023,Palo Alto Networks,"This ASIM parser supports normalizing Palo Alto PanOS threat event logs delivered using CEF to the ASIM WebSession normalized schema. The Palo Alto threat events are generated by the Palo Alto URL filtering module and collected using the Palo Alto Networks connectors, Common Event Format (CEF) via AMA connector, or the Common Event Format (CEF) via Legacy Agent connector to the CommonSecurityLog table.",CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.Activity == ""THREAT"" | CommonSecurityLog.DeviceEventClassID == ""url"" | CommonSecurityLog.DeviceProduct == ""PAN-OS"" | CommonSecurityLog.DeviceVendor == ""Palo Alto Networks"" | _Computed.FlexString2 in ""client-to-server,server-to-client"" | _Computed.NetworkDirection in ""Inbound,Outbound"" | _Computed.ThreatField in ""DstIpAddr,SrcIpAddr""","CefAma, PaloAltoNetworks, PaloAltoNetworksAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, PaloAlto-PAN-OS, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[URL Filter fields](https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/url-filtering-log-fields.html);[Palo Alto Common Event Format Integration Guide [pdf]](https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-10-0-cef-configuration-guide.pdf),Parsers\ASimWebSession\Parsers\ASimWebSessionPaloAltoCEF.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionPaloAltoCEF.yaml ASimWebSessionPaloAltoCortexDataLake,_ASim_WebSession_PaloAltoCortexDataLake,WebSession,0.2.6,source,Web Session ASIM parser for Palo Alto Cortex Data Lake,0.1.1,Jan 22 2024,Palo Alto Cortex Data Lake,This ASIM parser supports normalizing Palo Alto Cortex Data Lake logs to the ASIM Web Session normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceEventClassID == ""THREAT"" | CommonSecurityLog.DeviceProduct == ""LF"" | CommonSecurityLog.DeviceVendor == ""Palo Alto Networks"" | _Computed.DstIpAddr contains ""."" | _Computed.DstIpAddr contains "":"" | _Computed.PanOSIsClienttoServer == ""true"" | _Computed.PanOSIsSaaSApplication in ""false,true""","CefAma, PaloAltoCDL, PaloAltoCDLAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, PaloAltoCDL, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[Palo Alto Cortex Data Lake Documentation](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference/network-logs/network-url-log),Parsers\ASimWebSession\Parsers\ASimWebSessionPaloAltoCortexDataLake.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionPaloAltoCortexDataLake.yaml +ASimWebSessionSalesforceServiceCloudV2,_ASim_WebSession_SalesforceServiceCloudV2,WebSession,0.2.7,source,Web Session ASIM parser for Salesforce Service Cloud,0.1.0,"Jun 05, 2026",Salesforce Service Cloud,This ASIM parser supports normalizing Salesforce Service Cloud web session and API request logs from the SalesforceServiceCloudV2_CL table to the ASIM Web Session normalized schema.,SalesforceServiceCloudV2_CL,,disabled:bool=False;pack:bool=False,"_Computed.SrcUsername has ""@"" | _Computed.UserType in ""S,Standard,X"" | _Computed._UrlHost has "".""",SalesforceServiceCloud,Salesforce Service Cloud,[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Salesforce Service Cloud REST API Documentation](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/resources_query.htm),Parsers\ASimWebSession\Parsers\ASimWebSessionSalesforceServiceCloudV2.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionSalesforceServiceCloudV2.yaml ASimWebSessionSonicWallFirewall,_ASim_WebSession_SonicWallFirewall,WebSession,0.2.6,source,Web Session ASIM parser for SonicWall firewalls,0.1.1,"Jun 26, 2025",SonicWall,This ASIM parser supports normalizing SonicWall SonicOS ArcSight-formatted syslog received via the SonicWall Firewall/Common Event Format data connectors and ingested to the CommonSecurityLog table by Microsoft Sentinel to the ASIM WebSession normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DestinationIP has "":"" | CommonSecurityLog.DeviceVendor == ""SonicWall"" | CommonSecurityLog.Protocol !contains ""/"" | CommonSecurityLog.Protocol contains ""-"" | _Computed.DeviceEventCategory in ""1,1024,1048576,128,131072,16,2,2048,2097152,256,262144,32,32768,4,4096,4194304,512,524288,64,65536,8,8192,8388608"" | _Computed.DstAppName contains ""\"" | _Computed.DstIpAddr !has "".255"" | _Computed.DstZone in ""MULTICAST,WAN"" | _Computed.DstZone != ""WAN"" | _Computed.DvcAction in ""Management,NA,Other"" | _Computed.LogSeverity in ""1,2,3,4,5,6,7,8,9"" | _Computed.NetworkDirection in ""Inbound,Local,NA,Outbound"" | _Computed.SrcAppName contains ""\"" | _Computed.SrcUsername in ""Unknown (SSO bypassed),Unknown (external IP)"" | _Computed.SrcUsername has ""="" | _Computed.SrcUsername has ""@"" | _Computed.SrcUsername has ""\\"" | _Computed.SrcZone in ""VPN,WAN"" | _Computed.SrcZone != ""WAN"" | _Computed.ThreatField in ""DstIpAddr,SrcIpAddr"" | _Computed.gcat in ""10,11,12,13,14,15,16,17,18,19,2,3,4,5,6,7,8,9"" | _Computed.ipspri in ""2,3"" | _Computed.spypri in ""2,3""","CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[SonicWall SonicOS/X 7.0.1 Log Events Reference Guide [PDF]](https://www.sonicwall.com/techdocs/pdf/SonicOS-X_7.0.1_LogEvents_ReferenceGuide.pdf),Parsers\ASimWebSession\Parsers\ASimWebSessionSonicWallFirewall.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionSonicWallFirewall.yaml ASimWebSessionSquidProxy,_ASim_WebSession_SquidProxy,WebSession,0.2.6,source,Web Session ASIM parser for Squid Proxy,0.4.0,"Jun 05, 2025",Squid Proxy,This ASIM parser supports normalizing Squid Proxy logs produced by the Microsoft Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.,SquidProxy_CL,,disabled:bool=False,"_Computed.DstIpAddr == ""-"" | _Computed.EventResult == ""Success"" | _Computed.HttpContentType in ""-,:"" | _Computed.SrcUsername == ""-""",CustomlogsviaAMA,CustomLogsAma,[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Squid Proxy Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#squid-proxy-preview);[Squid native access log format](https://wiki.squid-cache.org/Features/LogFormat),Parsers\ASimWebSession\Parsers\ASimWebSessionSquidProxy.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml ASimWebSessionVectraAI,_ASim_WebSession_VectraAI,WebSession,0.2.3,source,Web Session ASIM parser for Vectra AI streams,0.2,Dec 28 2022,Vectra AI Streams,This ASIM parser supports normalizing Vectra AI Streams logs produced to the ASIM Web Session normalized schema.,VectraStream_CL,,disabled:bool=False;pack:bool=False,"_Computed.EventResult == ""Success""","AIVectraStream, CustomlogsviaAMA","CustomLogsAma, Vectra AI Stream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https:/aka.ms/AboutASIM);[Zscaler Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#zscaler);[Zscaler Sentinel deployment guide](https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide),Parsers\ASimWebSession\Parsers\ASimWebSessionVectraAI.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionVectraAI.yaml ASimWebSessionZscalerZIA,_ASim_WebSession_ZscalerZIA,WebSession,0.2.6,source,Web Session ASIM parser for Zscaler ZIA,0.4.1,"Nov 3, 2025",Zscaler ZIA,This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema.,CommonSecurityLog,,disabled:bool=False,"CommonSecurityLog.DeviceCustomString4 == ""None"" | CommonSecurityLog.DeviceProduct == ""NSSWeblog"" | CommonSecurityLog.DeviceVendor == ""Zscaler"" | CommonSecurityLog.RequestContext == ""None"" | _Computed.EventResultDetails == ""NA"" | _Computed.FileMD5 == ""None""","CefAma, VirtualMetricDirectorProxy, VirtualMetricMSSentinelConnector, VirtualMetricMSSentinelDataLakeConnector","Common Event Format, VirtualMetric DataStream",[ASIM Web Session Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM);[Zscaler Connector](https://docs.microsoft.com/azure/sentinel/data-connectors-reference#zscaler);[Zscaler Sentinel deployment guide](https://help.zscaler.com/zia/zscaler-microsoft-azure-sentinel-deployment-guide),Parsers\ASimWebSession\Parsers\ASimWebSessionzScalerZIA.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml -imWebSession,_Im_WebSession,WebSession,0.2.7,union,Web Session ASIM filtering parser,0.6.3,"Mar 24, 2026",Source agnostic,This ASIM parser supports filtering and normalizing Web Session logs from all supported sources to the ASIM Web Session normalized schema.,,_Im_WebSession_Empty;_Im_WebSession_SquidProxy;_Im_WebSession_ZscalerZIA;_Im_WebSession_VectraAI;_Im_WebSession_Native;_Im_WebSession_IIS;_Im_WebSession_PaloAltoCEF;_Im_WebSession_ApacheHTTPServer;_Im_WebSession_FortinetFortiGate;_Im_WebSession_CiscoMeraki;_Im_WebSession_BarracudaWAF;_Im_WebSession_BarracudaCEF;_Im_WebSession_CitrixNetScaler;_Im_WebSession_CiscoFirepower;_Im_WebSession_F5ASM;_Im_WebSession_PaloAltoCortexDataLake;_Im_WebSession_SonicWallFirewall;_Im_WebSession_AzureFirewall;_Im_WebSession_CiscoUmbrella,starttime:datetime=datetime(null);endtime:datetime=datetime(null);srcipaddr_has_any_prefix:dynamic=dynamic([]);ipaddr_has_any_prefix:dynamic=dynamic([]);url_has_any:dynamic=dynamic([]);httpuseragent_has_any:dynamic=dynamic([]);eventresultdetails_in:dynamic=dynamic([]);eventresult:string=*;eventresultdetails_has_any:dynamic=dynamic([]);disabled:bool=False;pack:bool=False,,,,[ASIM WebSession Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimWebSession\Parsers\imWebSession.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/imWebSession.yaml +imWebSession,_Im_WebSession,WebSession,0.2.7,union,Web Session ASIM filtering parser,0.6.4,"Jun 05, 2026",Source agnostic,This ASIM parser supports filtering and normalizing Web Session logs from all supported sources to the ASIM Web Session normalized schema.,,_Im_WebSession_Empty;_Im_WebSession_SquidProxy;_Im_WebSession_ZscalerZIA;_Im_WebSession_VectraAI;_Im_WebSession_Native;_Im_WebSession_IIS;_Im_WebSession_PaloAltoCEF;_Im_WebSession_ApacheHTTPServer;_Im_WebSession_FortinetFortiGate;_Im_WebSession_CiscoMeraki;_Im_WebSession_BarracudaWAF;_Im_WebSession_BarracudaCEF;_Im_WebSession_CitrixNetScaler;_Im_WebSession_CiscoFirepower;_Im_WebSession_F5ASM;_Im_WebSession_PaloAltoCortexDataLake;_Im_WebSession_SonicWallFirewall;_Im_WebSession_AzureFirewall;_Im_WebSession_CiscoUmbrella;_Im_WebSession_SalesforceServiceCloudV2,starttime:datetime=datetime(null);endtime:datetime=datetime(null);srcipaddr_has_any_prefix:dynamic=dynamic([]);ipaddr_has_any_prefix:dynamic=dynamic([]);url_has_any:dynamic=dynamic([]);httpuseragent_has_any:dynamic=dynamic([]);eventresultdetails_in:dynamic=dynamic([]);eventresult:string=*;eventresultdetails_has_any:dynamic=dynamic([]);disabled:bool=False;pack:bool=False,,,,[ASIM WebSession Schema](https://aka.ms/ASimWebSessionDoc);[ASIM](https://aka.ms/AboutASIM),Parsers\ASimWebSession\Parsers\imWebSession.yaml,https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/imWebSession.yaml diff --git a/Tools/Solutions Analyzer/asim_parsers_unmatched_report.csv b/Tools/Solutions Analyzer/asim_parsers_unmatched_report.csv index 741e08781a7..0c01287786e 100644 --- a/Tools/Solutions Analyzer/asim_parsers_unmatched_report.csv +++ b/Tools/Solutions Analyzer/asim_parsers_unmatched_report.csv @@ -1,9 +1,9 @@ "parser_name","parser_type","tables","filter_fields","sub_parsers","reason" "ASimAgentEvent","union","","","_Im_AgentEvent_Empty","Union parser (uses sub-parsers, not direct tables)" "imAgentEvent","union","","","_Im_AgentEvent_Empty","Union parser (uses sub-parsers, not direct tables)" -"ASimAlertEvent","union","","","_Im_AlertEvent_Empty;_ASim_AlertEvent_BitdefenderGravityZone;_ASim_AlertEvent_MicrosoftDefenderXDR;_ASim_AlertEvent_SentinelOneSingularity;_ASim_AlertEvent_CiscoSecureEndpoint","Union parser (uses sub-parsers, not direct tables)" +"ASimAlertEvent","union","","","_Im_AlertEvent_Empty;_ASim_AlertEvent_BitdefenderGravityZone;_ASim_AlertEvent_MicrosoftDefenderXDR;_ASim_AlertEvent_SentinelOneSingularity;_ASim_AlertEvent_CiscoSecureEndpoint;_ASim_AlertEvent_PaloAltoXDR","Union parser (uses sub-parsers, not direct tables)" "ASimAlertEventMicrosoftDefenderXDR","source","AlertEvidence","","","Filter mismatch - parser uses: no filters" -"imAlertEvent","union","","","_Im_AlertEvent_Empty;_Im_AlertEvent_BitdefenderGravityZone;_Im_AlertEvent_MicrosoftDefenderXDR;_Im_AlertEvent_SentinelOneSingularity;_Im_AlertEvent_CiscoSecureEndpoint","Union parser (uses sub-parsers, not direct tables)" +"imAlertEvent","union","","","_Im_AlertEvent_Empty;_Im_AlertEvent_BitdefenderGravityZone;_Im_AlertEvent_MicrosoftDefenderXDR;_Im_AlertEvent_SentinelOneSingularity;_Im_AlertEvent_CiscoSecureEndpoint;_Im_AlertEvent_PaloAltoXDR","Union parser (uses sub-parsers, not direct tables)" "ASimAssetEntity","union","","","_Im_AssetEntity_Empty","Union parser (uses sub-parsers, not direct tables)" "imAssetEntity","union","","","_Im_AssetEntity_Empty","Union parser (uses sub-parsers, not direct tables)" "ASimAuditEvent","union","","","_Im_AuditEvent_Empty;_ASim_AuditEvent_MicrosoftExchangeAdmin365;_ASim_AuditEvent_AWSCloudTrail;_ASim_AuditEvent_AzureActivity;_ASim_AuditEvent_AzureKeyVault;_ASim_AuditEvent_MicrosoftWindowsEvents;_ASim_AuditEvent_MicrosoftSecurityEvents;_ASim_AuditEvent_MicrosoftEvent;_ASim_AuditEvent_CiscoISE;_ASim_AuditEvent_CiscoMeraki;_ASim_AuditEvent_CiscoMerakiSyslog;_ASim_AuditEvent_BarracudaWAF;_ASim_AuditEvent_BarracudaCEF;_ASim_AuditEvent_CrowdStrikeFalconHost;_ASim_AuditEvent_VectraXDRAudit;_ASim_AuditEvent_SentinelOne;_ASim_AuditEvent_VMwareCarbonBlackCloud;_ASim_AuditEvent_InfobloxBloxOne;_ASim_AuditEvent_IllumioSaaSCore;_ASim_AuditEvent_Native;_ASim_AuditEvent_SQLSecurityAudit","Union parser (uses sub-parsers, not direct tables)" @@ -54,7 +54,7 @@ "imRegistry","union","","","_Im_RegistryEvent_Empty;_Im_RegistryEvent_Microsoft365D;_Im_RegistryEvent_MicrosoftSysmon;_Im_RegistryEvent_MicrosoftSysmonWindowsEvent;_Im_RegistryEvent_MicrosoftWindowsEvent;_Im_RegistryEvent_MicrosoftSecurityEvent;_Im_RegistryEvent_SentinelOne;_Im_RegistryEvent_Native;_Im_RegistryEvent_VMwareCarbonBlackCloud;_Im_RegistryEvent_TrendMicroVisionOne","Union parser (uses sub-parsers, not direct tables)" "ASimUserManagement","union","","","_Im_UserManagement_Empty;_ASim_UserManagement_AWSCloudTrail;_ASim_UserManagement_CiscoISE;_ASim_UserManagement_LinuxAuthpriv;_ASim_UserManagement_MicrosoftSecurityEvent;_ASim_UserManagement_MicrosoftWindowsEvent;_ASim_UserManagement_SentinelOne;_ASim_UserManagement_Native","Union parser (uses sub-parsers, not direct tables)" "imUserManagement","union","","","_Im_UserManagement_Empty;_Im_UserManagement_AWSCloudTrail;_Im_UserManagement_CiscoISE;_Im_UserManagement_LinuxAuthpriv;_Im_UserManagement_MicrosoftWindowsEvent;_Im_UserManagement_MicrosoftSecurityEvent;_Im_UserManagement_SentinelOne;_Im_UserManagement_Native","Union parser (uses sub-parsers, not direct tables)" -"ASimWebSession","union","","","_Im_WebSession_Empty;_ASim_WebSession_SquidProxy;_ASim_WebSession_ZscalerZIA;_ASim_WebSession_VectraAI;_ASim_WebSession_Native;_ASim_WebSession_IIS;_ASim_WebSession_PaloAltoCEF;_ASim_WebSession_ApacheHTTPServer;_ASim_WebSession_FortinetFortiGate;_ASim_WebSession_CiscoMeraki;_ASim_WebSession_BarracudaWAF;_ASim_WebSession_BarracudaCEF;_ASim_WebSession_CitrixNetScaler;_ASim_WebSession_CiscoFirepower;_ASim_WebSession_F5ASM;_ASim_WebSession_PaloAltoCortexDataLake;_ASim_WebSession_SonicWallFirewall;_ASim_WebSession_AzureFirewall;_ASim_WebSession_CiscoUmbrella","Union parser (uses sub-parsers, not direct tables)" +"ASimWebSession","union","","","_Im_WebSession_Empty;_ASim_WebSession_SquidProxy;_ASim_WebSession_ZscalerZIA;_ASim_WebSession_VectraAI;_ASim_WebSession_Native;_ASim_WebSession_IIS;_ASim_WebSession_PaloAltoCEF;_ASim_WebSession_ApacheHTTPServer;_ASim_WebSession_FortinetFortiGate;_ASim_WebSession_CiscoMeraki;_ASim_WebSession_BarracudaWAF;_ASim_WebSession_BarracudaCEF;_ASim_WebSession_CitrixNetScaler;_ASim_WebSession_CiscoFirepower;_ASim_WebSession_F5ASM;_ASim_WebSession_PaloAltoCortexDataLake;_ASim_WebSession_SonicWallFirewall;_ASim_WebSession_AzureFirewall;_ASim_WebSession_CiscoUmbrella;_ASim_WebSession_SalesforceServiceCloudV2","Union parser (uses sub-parsers, not direct tables)" "ASimWebSessionAzureFirewall","source","AZFWApplicationRule","","","Filter mismatch - parser uses: no filters" "ASimWebSessionBarracudaWAF","source","barracuda_CL","","","Filter mismatch - parser uses: no filters" -"imWebSession","union","","","_Im_WebSession_Empty;_Im_WebSession_SquidProxy;_Im_WebSession_ZscalerZIA;_Im_WebSession_VectraAI;_Im_WebSession_Native;_Im_WebSession_IIS;_Im_WebSession_PaloAltoCEF;_Im_WebSession_ApacheHTTPServer;_Im_WebSession_FortinetFortiGate;_Im_WebSession_CiscoMeraki;_Im_WebSession_BarracudaWAF;_Im_WebSession_BarracudaCEF;_Im_WebSession_CitrixNetScaler;_Im_WebSession_CiscoFirepower;_Im_WebSession_F5ASM;_Im_WebSession_PaloAltoCortexDataLake;_Im_WebSession_SonicWallFirewall;_Im_WebSession_AzureFirewall;_Im_WebSession_CiscoUmbrella","Union parser (uses sub-parsers, not direct tables)" +"imWebSession","union","","","_Im_WebSession_Empty;_Im_WebSession_SquidProxy;_Im_WebSession_ZscalerZIA;_Im_WebSession_VectraAI;_Im_WebSession_Native;_Im_WebSession_IIS;_Im_WebSession_PaloAltoCEF;_Im_WebSession_ApacheHTTPServer;_Im_WebSession_FortinetFortiGate;_Im_WebSession_CiscoMeraki;_Im_WebSession_BarracudaWAF;_Im_WebSession_BarracudaCEF;_Im_WebSession_CitrixNetScaler;_Im_WebSession_CiscoFirepower;_Im_WebSession_F5ASM;_Im_WebSession_PaloAltoCortexDataLake;_Im_WebSession_SonicWallFirewall;_Im_WebSession_AzureFirewall;_Im_WebSession_CiscoUmbrella;_Im_WebSession_SalesforceServiceCloudV2","Union parser (uses sub-parsers, not direct tables)" diff --git a/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/README.md b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/README.md new file mode 100644 index 00000000000..dbabb3db49f --- /dev/null +++ b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/README.md @@ -0,0 +1,67 @@ +# Daily Solution Analyzer Upload (Azure Function) + +This Function App uploads Solution Analyzer CSVs to Azure Data Explorer (Kusto) on a daily schedule. + +It reuses the existing uploader in [../../upload_to_kusto.py](../../upload_to_kusto.py) and runs it with: + +- `--solution-analyzer` +- `--raw-base-url` pointing to the output branch CSV location +- `--auth-mode managed-identity` (recommended) + +## Trigger + +Timer trigger schedule in [function_app.py](function_app.py): + +- `0 15 2 * * *` (daily at 02:15 UTC) + +## Required App Settings + +- `KUSTO_CLUSTER_URL`: e.g. `https://dataacquisition.eastus.kusto.windows.net` +- `KUSTO_DATABASE`: target database name +- `SA_OUTPUT_RAW_BASE_URL`: raw GitHub URL for output branch CSV root + - Example: `https://raw.githubusercontent.com////Tools/Solutions%20Analyzer` +- `KUSTO_AUTH_MODE`: `managed-identity` or `azure-cli` + - Use `managed-identity` in Azure +- `MANAGED_IDENTITY_CLIENT_ID` (optional): user-assigned MI client ID + +## Permissions + +Grant the Function App managed identity permissions on the Kusto database: + +- Admin path: `.add database ingestors ('aadapp=')` +- And if needed for DDL (drop/create): admin-level permissions for table management + +The uploader drops and recreates target tables before ingestion, so table admin permissions are required. + +## Local test + +1. Copy [local.settings.sample.json](local.settings.sample.json) to `local.settings.json` +2. Fill values +3. Start Function host: + +```bash +func start +``` + +4. Trigger manually from Azure Portal or wait for the schedule. + +## Deployment notes + +Deploy this folder as a Python Function App package. + +Recommended: + +1. `func azure functionapp publish ` +2. Configure app settings listed above +3. Enable system-assigned or user-assigned managed identity +4. Grant Kusto permissions + +## Why Azure Function over Logic App + +This workflow needs: + +- Python/Kusto SDK control (table drop/create/mapping + queued ingestion) +- Strong retry/error logging +- Easy reuse of existing upload logic + +An Azure Function is a better fit than Logic App for this code-heavy ingestion path. diff --git a/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/function_app.py b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/function_app.py new file mode 100644 index 00000000000..b260cea8911 --- /dev/null +++ b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/function_app.py @@ -0,0 +1,77 @@ +import logging +import os +import subprocess +import sys +from pathlib import Path + +import azure.functions as func + + +app = func.FunctionApp() + + +def _required_env(name: str) -> str: + value = os.getenv(name) + if not value: + raise ValueError(f"Missing required app setting: {name}") + return value + + +@app.timer_trigger(schedule="0 15 2 * * *", arg_name="mytimer", run_on_startup=False, use_monitor=True) +def daily_solution_analyzer_upload(mytimer: func.TimerRequest) -> None: + """Daily upload of Solution Analyzer CSVs from output branch to ADX/Kusto.""" + if mytimer.past_due: + logging.warning("Timer trigger was past due") + + cluster_url = _required_env("KUSTO_CLUSTER_URL") + database = _required_env("KUSTO_DATABASE") + raw_base_url = _required_env("SA_OUTPUT_RAW_BASE_URL") + + auth_mode = os.getenv("KUSTO_AUTH_MODE", "managed-identity") + managed_identity_client_id = os.getenv("MANAGED_IDENTITY_CLIENT_ID", "").strip() + + # Function files live under: Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function + # upload_to_kusto.py is two levels up. + function_dir = Path(__file__).resolve().parent + uploader = function_dir.parent.parent / "upload_to_kusto.py" + + if not uploader.exists(): + raise FileNotFoundError(f"upload_to_kusto.py not found at {uploader}") + + cmd = [ + sys.executable, + str(uploader), + "--cluster", + cluster_url, + "--database", + database, + "--solution-analyzer", + "--raw-base-url", + raw_base_url, + "--auth-mode", + auth_mode, + ] + + if auth_mode == "managed-identity" and managed_identity_client_id: + cmd.extend(["--managed-identity-client-id", managed_identity_client_id]) + + logging.info("Starting daily Solution Analyzer upload") + logging.info("Uploader path: %s", uploader) + logging.info("Raw base URL: %s", raw_base_url) + + result = subprocess.run( + cmd, + capture_output=True, + text=True, + timeout=1800, + ) + + if result.stdout: + logging.info("Uploader stdout:\n%s", result.stdout) + if result.stderr: + logging.warning("Uploader stderr:\n%s", result.stderr) + + if result.returncode != 0: + raise RuntimeError(f"Uploader exited with code {result.returncode}") + + logging.info("Daily Solution Analyzer upload completed successfully") diff --git a/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/host.json b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/host.json new file mode 100644 index 00000000000..06d01bdaa95 --- /dev/null +++ b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/host.json @@ -0,0 +1,15 @@ +{ + "version": "2.0", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} diff --git a/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/local.settings.sample.json b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/local.settings.sample.json new file mode 100644 index 00000000000..618fdb23ee5 --- /dev/null +++ b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/local.settings.sample.json @@ -0,0 +1,12 @@ +{ + "IsEncrypted": false, + "Values": { + "AzureWebJobsStorage": "UseDevelopmentStorage=true", + "FUNCTIONS_WORKER_RUNTIME": "python", + "KUSTO_CLUSTER_URL": "https://..kusto.windows.net", + "KUSTO_DATABASE": "", + "SA_OUTPUT_RAW_BASE_URL": "https://raw.githubusercontent.com////Tools/Solutions%20Analyzer", + "KUSTO_AUTH_MODE": "managed-identity", + "MANAGED_IDENTITY_CLIENT_ID": "" + } +} diff --git a/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/requirements.txt b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/requirements.txt new file mode 100644 index 00000000000..3d4da07767a --- /dev/null +++ b/Tools/Solutions Analyzer/automation/daily-solution-analyzer-upload-function/requirements.txt @@ -0,0 +1,5 @@ +azure-functions +azure-kusto-data +azure-kusto-ingest +azure-identity +requests diff --git a/Tools/Solutions Analyzer/connector_history.csv b/Tools/Solutions Analyzer/connector_history.csv new file mode 100644 index 00000000000..09f528e1418 --- /dev/null +++ b/Tools/Solutions Analyzer/connector_history.csv @@ -0,0 +1,75 @@ +month,commit_sha,commit_date,active_connectors,deprecated_connectors,total_connectors,connectors_created,connectors_updated +2020-05-01,26f5aa82dfe9,2020-04-30,0,0,0,0,0 +2020-06-01,6611766c69e9,2020-05-30,0,0,0,0,0 +2020-07-01,3c85dcb1ebf0,2020-06-30,0,0,0,0,0 +2020-08-01,f0a4604a88c5,2020-07-31,0,0,0,0,0 +2020-09-01,cde77af9d1ec,2020-08-31,0,0,0,0,0 +2020-10-01,5b7fcb966ca3,2020-10-01,0,0,0,0,0 +2020-11-01,a4c9038e67fb,2020-10-30,0,0,0,0,0 +2020-12-01,00feaec7fcb2,2020-12-01,0,0,0,0,0 +2021-01-01,9ffbc33efd69,2020-12-31,0,0,0,0,0 +2021-02-01,40d58b1ca8c3,2021-02-01,0,0,0,3,0 +2021-03-01,3326e3e42797,2021-02-28,3,0,3,10,0 +2021-04-01,bffbb0b9b33e,2021-03-31,13,0,13,4,4 +2021-05-01,1eaa9ab5ecc1,2021-04-30,17,0,17,3,0 +2021-06-01,bcbd3e1cdfa0,2021-05-31,20,0,20,15,7 +2021-07-01,b8a7bba0b8b3,2021-07-01,31,0,31,8,1 +2021-08-01,01e0791f20e9,2021-07-31,41,0,41,4,0 +2021-09-01,424b617efe7b,2021-08-31,43,0,43,3,3 +2021-10-01,eb087c5df0d8,2021-09-30,46,0,46,21,2 +2021-11-01,4923d9699bce,2021-10-31,67,0,67,2,1 +2021-12-01,fa761cf85966,2021-11-30,69,0,69,3,3 +2022-01-01,7518e8aedf0f,2021-12-31,72,0,72,10,1 +2022-02-01,337cd199e69f,2022-02-01,81,0,81,1,3 +2022-03-01,773c6b61ec0a,2022-03-01,83,0,83,8,0 +2022-04-01,c2a4ea5bdc11,2022-04-01,91,0,91,3,3 +2022-05-01,576e263804a5,2022-05-01,94,0,94,44,9 +2022-06-01,1ddac9ee7d96,2022-06-01,94,0,94,10,20 +2022-07-01,f7b7b061caaf,2022-07-01,152,0,152,8,54 +2022-08-01,73d802f73633,2022-08-01,161,0,161,11,12 +2022-09-01,01d28b04992b,2022-09-01,173,0,173,4,15 +2022-10-01,d55d5312d11e,2022-09-30,174,0,174,5,9 +2022-11-01,37518ea46ad2,2022-11-01,182,0,182,13,7 +2022-12-01,ca957773c425,2022-12-01,191,0,191,4,5 +2023-01-01,321d007d4ebb,2023-01-01,195,0,195,10,13 +2023-02-01,6b65eb89747d,2023-02-01,205,0,205,4,9 +2023-03-01,472d8c392337,2023-03-01,212,0,212,6,26 +2023-04-01,fdd5dd831782,2023-03-31,213,0,213,2,20 +2023-05-01,94aa2e2f9007,2023-05-01,214,0,214,2,9 +2023-06-01,eeba07c0a7c5,2023-06-01,214,0,214,2,26 +2023-07-01,b799576ce030,2023-06-30,214,0,214,7,9 +2023-08-01,8d0b8852c095,2023-08-01,223,0,223,8,12 +2023-09-01,35361d225266,2023-09-01,230,2,232,41,38 +2023-10-01,2cbb065211f3,2023-10-01,224,0,224,10,8 +2023-11-01,e08f2f9c3eb0,2023-11-01,247,30,277,22,18 +2023-12-01,d4968b5853b0,2023-11-30,263,33,296,2,11 +2024-01-01,7bb12216385a,2023-12-29,250,30,280,6,6 +2024-02-01,5fa959df09a7,2024-02-01,271,33,304,6,13 +2024-03-01,0dfe39e9a2d0,2024-03-01,272,33,305,8,16 +2024-04-01,5ab1874cdb09,2024-04-01,281,38,319,6,36 +2024-05-01,ffb9684ad231,2024-05-01,287,39,326,6,5 +2024-06-01,47d12c891543,2024-05-31,291,39,330,3,4 +2024-07-01,8049850c0a57,2024-07-01,294,39,333,10,77 +2024-08-01,5252923298c1,2024-08-01,237,104,341,5,37 +2024-09-01,ed3788057fd4,2024-08-31,216,127,343,3,35 +2024-10-01,dc08ee2a42ce,2024-10-01,221,125,346,14,10 +2024-11-01,e4cfe2d094f0,2024-10-31,229,125,354,6,10 +2024-12-01,cae008b7776f,2024-11-29,236,126,362,6,5 +2025-01-01,d49ac6556d14,2024-12-31,251,126,377,4,10 +2025-02-01,490cc896ad26,2025-01-31,254,126,380,22,11 +2025-03-01,7c8e2ec42a74,2025-02-28,276,126,402,6,9 +2025-04-01,361737877660,2025-04-01,280,126,406,9,22 +2025-05-01,b0cc08acf6b0,2025-04-30,285,131,416,5,21 +2025-06-01,8c4ecaffa2bb,2025-05-30,285,136,421,11,25 +2025-07-01,7f91700863f8,2025-07-01,294,138,432,21,20 +2025-08-01,d0b818aad2cc,2025-08-01,307,142,449,11,30 +2025-09-01,0f80db95978d,2025-09-01,317,145,462,6,22 +2025-10-01,c76164589ab9,2025-10-01,323,145,468,9,14 +2025-11-01,d7ff45235eae,2025-11-01,331,145,476,8,20 +2025-12-01,7e1d893ec9f2,2025-12-01,340,143,483,2,11 +2026-01-01,14db00bc14ad,2026-01-01,347,143,490,7,11 +2026-02-01,0f5e0cc94abf,2026-01-30,352,143,495,23,12 +2026-03-01,59e0373117b4,2026-02-28,374,144,518,25,17 +2026-04-01,9f159e11f5fe,2026-04-01,397,144,541,14,31 +2026-05-01,1ac179527482,2026-04-30,405,151,556,30,17 +2026-06-01,b22bf99976bd,2026-06-01,423,151,574,16,10 diff --git a/Tools/Solutions Analyzer/connector_history.py b/Tools/Solutions Analyzer/connector_history.py new file mode 100644 index 00000000000..1755e34c604 --- /dev/null +++ b/Tools/Solutions Analyzer/connector_history.py @@ -0,0 +1,652 @@ +#!/usr/bin/env python3 +"""Historical connector counter for the Azure-Sentinel repository. + +Reconstructs, from git history, the number of data connectors that are +**part of a solution** and **not deprecated**, sampled on the 1st of each +month. Output is a CSV time-series written next to the other Solutions +Analyzer CSVs. + +Definitions (mirroring map_solutions_connectors_tables.py at the time of +writing): + +* "Part of a solution": a connector object defined under + ``Solutions//Data Connectors/**/*.json`` (also the + ``DataConnectors`` / ``Data Connector`` folder spellings), or a + ``dataConnectorDefinitions`` resource inside a solution + ``mainTemplate.json``. +* A connector object is a JSON dict carrying string ``id``, ``publisher`` and + ``title`` keys (``title`` must be a literal, not an ARM ``[variables(...)]`` + reference). When ``id`` is an ARM variable reference it is regenerated from + the title (spaces and dashes stripped), matching the mapper. +* "Deprecated" — a connector is excluded when ANY of: + - its title contains ``[DEPRECATED]`` (case-insensitive) or starts with + ``[Deprecated]``; + - its ``availability.status`` is explicitly ``0``; + - the owning solution is deprecated (the solution's ``Description`` text + matches the mapper's solution-deprecation patterns). +* Counting unit: distinct connector IDs. A connector ID counts as active if it + is active in at least one (connector, solution) occurrence. + +The reconstruction reads blobs straight out of git (``ls-tree`` + +``cat-file --batch``) without touching the working tree, so it is safe to run +on any branch. + +Usage:: + + python connector_history.py # full history, monthly + python connector_history.py --start 2023-01 --end 2024-01 + python connector_history.py --ref master --output connector_history.csv +""" +from __future__ import annotations + +import argparse +import csv +import datetime as dt +import hashlib +import json +import re +import subprocess +import sys +import threading +from pathlib import Path +from typing import Any, Dict, List, Optional, Set, Tuple + +# --------------------------------------------------------------------------- # +# Deprecation detection (copied from map_solutions_connectors_tables.py so the +# historical tool stays stable even if the mapper evolves). +# --------------------------------------------------------------------------- # +SOLUTION_DEPRECATED_PATTERNS = [ + re.compile(r'this (?:integration|solution) is (?:considered )?deprecated', re.IGNORECASE), + re.compile(r'this (?:integration|solution) has been deprecated', re.IGNORECASE), +] + +# Folder spellings the mapper recognises for connector definitions. +_DC_FOLDERS = ("Data Connectors", "DataConnectors", "Data Connector") + +# Path matchers (POSIX separators, as git emits). +_RE_CONNECTOR_FILE = re.compile( + r'^Solutions/(?P[^/]+)/(?:Data Connectors|DataConnectors|Data Connector)/.*\.json$' +) +_RE_SOLUTION_DATA = re.compile( + r'^Solutions/(?P[^/]+)/Data/Solution_.*\.json$' +) +_RE_MAIN_TEMPLATE = re.compile( + r'^Solutions/(?P[^/]+)/.*mainTemplate\.json$', re.IGNORECASE +) + + +def is_solution_deprecated(description: str) -> bool: + """True when a solution Description indicates the solution is deprecated.""" + for pattern in SOLUTION_DEPRECATED_PATTERNS: + if pattern.search(description): + return True + return False + + +def _availability_deprecated(entry: Dict[str, Any]) -> bool: + """True when availability.status is explicitly 0.""" + availability = entry.get('availability') + if isinstance(availability, dict) and availability.get('status') == 0: + return True + return False + + +def _title_deprecated(title: str) -> bool: + upper = title.upper() + return '[DEPRECATED]' in upper or title.startswith('[Deprecated]') + + +def find_connector_objects(data: Any) -> List[Dict[str, Any]]: + """Find connector objects (id/publisher/title dicts) anywhere in ``data``. + + Mirrors the mapper's detection, including ARM-variable id regeneration. + """ + connectors: List[Dict[str, Any]] = [] + stack = [data] + while stack: + current = stack.pop() + if isinstance(current, dict): + if {"id", "publisher", "title"}.issubset(current.keys()): + id_value = current.get("id") + publisher_value = current.get("publisher") + title_value = current.get("title") + if ( + isinstance(id_value, str) + and isinstance(publisher_value, str) + and isinstance(title_value, str) + and "[variables(" not in title_value.lower() + ): + resolved_id = id_value + if "[variables(" in id_value.lower(): + resolved_id = title_value.replace(" ", "").replace("-", "") + connectors.append({ + "id": resolved_id, + "title": title_value, + "availability": current.get("availability"), + }) + stack.extend(current.values()) + elif isinstance(current, list): + stack.extend(current) + return connectors + + +def find_connectors_in_main_template(data: Any) -> List[Dict[str, Any]]: + """Find dataConnectorDefinitions connectors inside an ARM mainTemplate.""" + connectors: List[Dict[str, Any]] = [] + if not isinstance(data, dict): + return connectors + resources = data.get("resources", []) + if not isinstance(resources, list): + return connectors + stack = list(resources) + seen_ids: Set[str] = set() + while stack: + resource = stack.pop() + if not isinstance(resource, dict): + continue + resource_type = resource.get("type", "") + if isinstance(resource_type, str) and "dataconnectordefinitions" in resource_type.lower(): + properties = resource.get("properties", {}) + if isinstance(properties, dict): + ui_config = properties.get("connectorUiConfig", {}) + if isinstance(ui_config, dict): + connector_id = ui_config.get("id", "") + title = ui_config.get("title", "") + publisher = ui_config.get("publisher", "") + if isinstance(connector_id, str) and "[variables(" in connector_id.lower(): + if isinstance(title, str) and title: + connector_id = title.replace(" ", "").replace("-", "") + else: + connector_id = "" + if ( + isinstance(connector_id, str) and connector_id + and isinstance(title, str) and title + and isinstance(publisher, str) and publisher + and connector_id not in seen_ids + ): + seen_ids.add(connector_id) + connectors.append({ + "id": connector_id, + "title": title, + "availability": ui_config.get("availability"), + }) + nested_resources = resource.get("resources", []) + if isinstance(nested_resources, list): + stack.extend(nested_resources) + properties = resource.get("properties", {}) + if isinstance(properties, dict): + main_template = properties.get("mainTemplate", {}) + if isinstance(main_template, dict): + nested = main_template.get("resources", []) + if isinstance(nested, list): + stack.extend(nested) + return connectors + + +def extract_connector_payloads(data: Any) -> List[Tuple[str, str]]: + """Return [(connector_id, content_hash), ...] for connector objects. + + Used by the merge-based change-flow metric. The hash is a stable SHA-1 of + the full connector object (sorted keys), so that ``update`` is detected + only when a connector's own content actually changes — not merely because + the file it lives in was touched. + """ + results: List[Tuple[str, str]] = [] + stack = [data] + while stack: + current = stack.pop() + if isinstance(current, dict): + if {"id", "publisher", "title"}.issubset(current.keys()): + id_value = current.get("id") + publisher_value = current.get("publisher") + title_value = current.get("title") + if ( + isinstance(id_value, str) + and isinstance(publisher_value, str) + and isinstance(title_value, str) + and "[variables(" not in title_value.lower() + ): + resolved_id = id_value + if "[variables(" in id_value.lower(): + resolved_id = title_value.replace(" ", "").replace("-", "") + payload = json.dumps(current, sort_keys=True, ensure_ascii=False) + digest = hashlib.sha1(payload.encode("utf-8", "replace")).hexdigest() + results.append((resolved_id, digest)) + stack.extend(current.values()) + elif isinstance(current, list): + stack.extend(current) + return results + + +# --------------------------------------------------------------------------- # +# Git plumbing helpers. +# --------------------------------------------------------------------------- # +def _git(repo: Path, args: List[str], binary: bool = False) -> Any: + result = subprocess.run( + ["git", "-C", str(repo), *args], + check=True, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + ) + return result.stdout if binary else result.stdout.decode("utf-8", "replace") + + +def resolve_ref(repo: Path, preferred: Optional[str]) -> str: + """Resolve the history ref, preferring origin/master then master then HEAD.""" + candidates = [preferred] if preferred else ["origin/master", "master", "HEAD"] + for ref in candidates: + if not ref: + continue + try: + _git(repo, ["rev-parse", "--verify", "--quiet", f"{ref}^{{commit}}"]) + return ref + except subprocess.CalledProcessError: + continue + raise SystemExit("Could not resolve a git ref (tried: %s)" % candidates) + + +def commit_before(repo: Path, ref: str, when: dt.date) -> Optional[Tuple[str, str]]: + """Return (sha, iso_commit_date) of the last commit on ref before ``when``.""" + iso = f"{when.isoformat()}T00:00:00" + out = _git(repo, ["rev-list", "-1", f"--before={iso}", ref]).strip() + if not out: + return None + cdate = _git(repo, ["show", "-s", "--format=%cs", out]).strip() + return out, cdate + + +def list_tree_files(repo: Path, commit: str) -> List[str]: + """List all file paths under Solutions/ at ``commit`` (NUL-safe).""" + raw = _git( + repo, + ["-c", "core.quotepath=false", "ls-tree", "-r", "-z", + "--name-only", commit, "--", "Solutions"], + binary=True, + ) + if not raw: + return [] + return [p.decode("utf-8", "replace") for p in raw.split(b"\x00") if p] + + +def read_blobs(repo: Path, commit: str, paths: List[str]) -> Dict[str, bytes]: + """Read many blobs at ``commit`` in a single cat-file --batch process. + + A dedicated writer thread feeds object specs into git's stdin while the + main thread consumes stdout, avoiding the pipe deadlock that occurs when + git's output buffer fills before all specs have been written. + """ + if not paths: + return {} + proc = subprocess.Popen( + ["git", "-C", str(repo), "cat-file", "--batch"], + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.DEVNULL, + ) + assert proc.stdin and proc.stdout + + def _feed() -> None: + try: + for p in paths: + proc.stdin.write(f"{commit}:{p}\n".encode("utf-8")) + proc.stdin.flush() + finally: + proc.stdin.close() + + writer = threading.Thread(target=_feed, daemon=True) + writer.start() + + out: Dict[str, bytes] = {} + for path in paths: + header = proc.stdout.readline() + if not header: + break + parts = header.split() + if len(parts) == 2 and parts[1] == b"missing": + continue + if len(parts) < 3: + # Unexpected; skip remainder for safety. + continue + size = int(parts[2]) + content = proc.stdout.read(size) + proc.stdout.read(1) # trailing newline + out[path] = content + proc.stdout.read() + writer.join() + proc.wait() + return out + + +def _iter_blobs_multi(repo: Path, specs: List[Tuple[str, str]]): + """Stream blobs for many (commit, path) specs from one cat-file process. + + Yields ``(index, content_bytes_or_None)`` in the same order as ``specs``. + A writer thread feeds ``:`` lines while the main thread reads + responses, avoiding the cat-file stdin/stdout pipe deadlock. + """ + if not specs: + return + proc = subprocess.Popen( + ["git", "-C", str(repo), "cat-file", "--batch"], + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.DEVNULL, + ) + assert proc.stdin and proc.stdout + + def _feed() -> None: + try: + for commit, path in specs: + proc.stdin.write(f"{commit}:{path}\n".encode("utf-8")) + proc.stdin.flush() + finally: + proc.stdin.close() + + writer = threading.Thread(target=_feed, daemon=True) + writer.start() + + for i in range(len(specs)): + header = proc.stdout.readline() + if not header: + break + parts = header.split() + if len(parts) == 2 and parts[1] == b"missing": + yield i, None + continue + if len(parts) < 3: + yield i, None + continue + size = int(parts[2]) + content = proc.stdout.read(size) + proc.stdout.read(1) # trailing newline + yield i, content + + proc.stdout.read() + writer.join() + proc.wait() + + +def compute_change_flow(repo: Path, ref: str) -> Dict[str, Dict[str, int]]: + """Per-month distinct connector creates/updates from first-parent merges. + + Walks the first-parent merge commits on ``ref`` (oldest first), diffing + each merge against its first parent to find the connector definition files + it brought to master. Connector IDs are classified, against a running + global inventory, as: + + * **created** — the ID had not been seen in any earlier merge; + * **updated** — the ID existed but its content hash changed. + + Within a month, sets are de-duplicated and ``created`` takes precedence + over ``updated`` (a connector created and later changed in the same month + counts only as created). + + Scope note: only merge commits are considered. Connectors introduced via + direct (non-merge) commits to master are attributed to the first merge + that later touches their file. + """ + raw = _git( + repo, + ["-c", "core.quotepath=false", "log", "--first-parent", "--merges", + "--name-status", "--date=short", "--format=__C__%x09%H%x09%cs", ref], + ) + + # Parse: each merge -> (sha, YYYY-MM-DD, [connector paths added/modified]). + merges: List[Dict[str, Any]] = [] + current: Optional[Dict[str, Any]] = None + for line in raw.splitlines(): + if line.startswith("__C__\t"): + _, sha, cdate = line.split("\t", 2) + current = {"sha": sha, "date": cdate, "paths": []} + merges.append(current) + elif line and current is not None: + parts = line.split("\t") + status = parts[0] + if status.startswith("D"): + continue + path = parts[-1] # for renames (R…) git emits old\tnew -> take new + if _RE_CONNECTOR_FILE.match(path): + current["paths"].append(path) + + # Keep only merges that touched connectors; process oldest -> newest. + merges = [m for m in merges if m["paths"]] + merges.reverse() + + # Build a flat, chronological spec list with parallel month metadata. + specs: List[Tuple[str, str]] = [] + spec_month: List[str] = [] + for m in merges: + month_key = m["date"][:7] + "-01" + for p in m["paths"]: + specs.append((m["sha"], p)) + spec_month.append(month_key) + + known: Dict[str, str] = {} + month_created: Dict[str, Set[str]] = {} + month_updated: Dict[str, Set[str]] = {} + + for idx, content in _iter_blobs_multi(repo, specs): + if content is None: + continue + data = _load_json(content) + if data is None: + continue + month_key = spec_month[idx] + created = month_created.setdefault(month_key, set()) + updated = month_updated.setdefault(month_key, set()) + for cid, digest in extract_connector_payloads(data): + if cid not in known: + created.add(cid) + elif known[cid] != digest: + updated.add(cid) + known[cid] = digest + + flow: Dict[str, Dict[str, int]] = {} + for month_key in set(month_created) | set(month_updated): + created = month_created.get(month_key, set()) + updated = month_updated.get(month_key, set()) - created + flow[month_key] = {"created": len(created), "updated": len(updated)} + return flow + + +def _load_json(blob: bytes) -> Optional[Any]: + try: + return json.loads(blob.decode("utf-8-sig", "replace")) + except (ValueError, UnicodeDecodeError): + return None + + +# --------------------------------------------------------------------------- # +# Per-commit analysis. +# --------------------------------------------------------------------------- # +def analyze_commit(repo: Path, commit: str, include_main_template: bool) -> Dict[str, int]: + """Count distinct active / deprecated connector IDs at ``commit``.""" + all_paths = list_tree_files(repo, commit) + + connector_paths: List[str] = [] + solution_data_paths: List[str] = [] + main_template_paths: List[str] = [] + for p in all_paths: + if _RE_CONNECTOR_FILE.match(p): + connector_paths.append(p) + elif _RE_SOLUTION_DATA.match(p): + solution_data_paths.append(p) + elif include_main_template and _RE_MAIN_TEMPLATE.match(p): + main_template_paths.append(p) + + wanted = connector_paths + solution_data_paths + main_template_paths + blobs = read_blobs(repo, commit, wanted) + + # Solution-level deprecation, keyed by solution folder name. + deprecated_solutions: Set[str] = set() + for p in solution_data_paths: + m = _RE_SOLUTION_DATA.match(p) + if not m: + continue + data = _load_json(blobs.get(p, b"")) + if not isinstance(data, dict): + continue + description = data.get("Description") or data.get("description") or "" + if isinstance(description, str) and is_solution_deprecated(description): + deprecated_solutions.add(m.group("sol")) + + # active_ids: connector IDs seen active in >=1 occurrence. + # all_ids: every connector ID encountered. + active_ids: Set[str] = set() + all_ids: Set[str] = set() + + def consider(sol: str, conn: Dict[str, Any]) -> None: + cid = conn["id"] + all_ids.add(cid) + deprecated = ( + _title_deprecated(conn["title"]) + or _availability_deprecated(conn) + or sol in deprecated_solutions + ) + if not deprecated: + active_ids.add(cid) + + for p in connector_paths: + m = _RE_CONNECTOR_FILE.match(p) + data = _load_json(blobs.get(p, b"")) + if data is None or not m: + continue + for conn in find_connector_objects(data): + consider(m.group("sol"), conn) + + for p in main_template_paths: + m = _RE_MAIN_TEMPLATE.match(p) + data = _load_json(blobs.get(p, b"")) + if data is None or not m: + continue + for conn in find_connectors_in_main_template(data): + consider(m.group("sol"), conn) + + total = len(all_ids) + active = len(active_ids) + return { + "total_connectors": total, + "active_connectors": active, + "deprecated_connectors": total - active, + } + + +# --------------------------------------------------------------------------- # +# Month iteration & CLI. +# --------------------------------------------------------------------------- # +def month_firsts(start: dt.date, end: dt.date) -> List[dt.date]: + months: List[dt.date] = [] + y, m = start.year, start.month + while dt.date(y, m, 1) <= end: + months.append(dt.date(y, m, 1)) + if m == 12: + y, m = y + 1, 1 + else: + m += 1 + return months + + +def _parse_month(value: str) -> dt.date: + for fmt in ("%Y-%m", "%Y-%m-%d"): + try: + return dt.datetime.strptime(value, fmt).date().replace(day=1) + except ValueError: + continue + raise argparse.ArgumentTypeError(f"Invalid month '{value}' (use YYYY-MM)") + + +def main() -> int: + script_dir = Path(__file__).resolve().parent + default_repo = script_dir.parents[1] # Tools/Solutions Analyzer -> repo root + + parser = argparse.ArgumentParser(description=__doc__, + formatter_class=argparse.RawDescriptionHelpFormatter) + parser.add_argument("--repo", type=Path, default=default_repo, + help="Path to the Azure-Sentinel git repo (default: inferred).") + parser.add_argument("--ref", default=None, + help="Git ref to sample (default: origin/master -> master -> HEAD).") + parser.add_argument("--start", type=_parse_month, default=_parse_month("2021-01"), + help="First month to sample, YYYY-MM (default: 2021-01).") + parser.add_argument("--end", type=_parse_month, default=None, + help="Last month to sample, YYYY-MM (default: current month).") + parser.add_argument("--output", type=Path, + default=script_dir / "connector_history.csv", + help="Output CSV path.") + parser.add_argument("--no-main-template", action="store_true", + help="Skip dataConnectorDefinitions in mainTemplate.json files.") + parser.add_argument("--no-flow", action="store_true", + help="Skip the merge-based per-month create/update columns.") + args = parser.parse_args() + + repo: Path = args.repo + ref = resolve_ref(repo, args.ref) + today = dt.date.today() + end: dt.date = args.end or today.replace(day=1) + if end > today.replace(day=1): + end = today.replace(day=1) + + include_main_template = not args.no_main_template + months = month_firsts(args.start, end) + + print(f"Repo: {repo}") + print(f"Ref: {ref}") + print(f"Range: {months[0].isoformat()} .. {months[-1].isoformat()} " + f"({len(months)} months)") + print(f"Output: {args.output}") + print("-" * 60) + + rows: List[Dict[str, Any]] = [] + seen_commits: Dict[str, Dict[str, int]] = {} + for month in months: + found = commit_before(repo, ref, month) + if not found: + print(f"{month.isoformat()} (no commit before this date — skipped)") + continue + sha, cdate = found + if sha in seen_commits: + counts = seen_commits[sha] + else: + counts = analyze_commit(repo, sha, include_main_template) + seen_commits[sha] = counts + rows.append({ + "month": month.isoformat(), + "commit_sha": sha[:12], + "commit_date": cdate, + "active_connectors": counts["active_connectors"], + "deprecated_connectors": counts["deprecated_connectors"], + "total_connectors": counts["total_connectors"], + }) + print(f"{month.isoformat()} {sha[:12]} {cdate} " + f"active={counts['active_connectors']:>4} " + f"deprecated={counts['deprecated_connectors']:>3} " + f"total={counts['total_connectors']:>4}") + + fieldnames = ["month", "commit_sha", "commit_date", + "active_connectors", "deprecated_connectors", "total_connectors"] + + if not args.no_flow: + print("-" * 60) + print("Computing per-month creates/updates from first-parent merges...") + flow = compute_change_flow(repo, ref) + for row in rows: + counts = flow.get(row["month"], {}) + row["connectors_created"] = counts.get("created", 0) + row["connectors_updated"] = counts.get("updated", 0) + fieldnames += ["connectors_created", "connectors_updated"] + total_created = sum(r.get("connectors_created", 0) for r in rows) + total_updated = sum(r.get("connectors_updated", 0) for r in rows) + print(f"Flow covered {len(flow)} months; " + f"in range: created={total_created}, updated={total_updated}") + + with open(args.output, "w", newline="", encoding="utf-8") as f: + writer = csv.DictWriter(f, fieldnames=fieldnames) + writer.writeheader() + writer.writerows(rows) + + print("-" * 60) + print(f"Wrote {len(rows)} rows to {args.output}") + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/Tools/Solutions Analyzer/connector_history.xlsx b/Tools/Solutions Analyzer/connector_history.xlsx new file mode 100644 index 00000000000..c4d36c3a1c6 Binary files /dev/null and b/Tools/Solutions Analyzer/connector_history.xlsx differ diff --git a/Tools/Solutions Analyzer/connectors.csv b/Tools/Solutions Analyzer/connectors.csv index 346714c37f9..fc738aa926a 100644 --- a/Tools/Solutions Analyzer/connectors.csv +++ b/Tools/Solutions Analyzer/connectors.csv @@ -1,7 +1,7 @@ "connector_id","connector_publisher","connector_title","connector_description","connector_instruction_steps","connector_permissions","connector_id_generated","connector_files","connector_readme_file","collection_method","collection_method_reason","event_vendor","event_product","event_vendor_product_by_table","filter_fields","not_in_solution_json","solution_name","is_deprecated","deprecation_date","is_published","dcr_definition_files","ccf_config_file","ccf_capabilities","ingestion_api","ingestion_api_reason","is_clv1","learn_doc_url" "1Password","1Password","1Password","The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest 1Password logs and events into Microsoft Sentinel. The connector provides visibility into 1Password Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.

**Underlying Microsoft Technologies used:**

This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:

- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)","[{""description"": "">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": ""**STEP 1 - Configuration steps for the 1Password API**\n\n [Follow these instructions](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) provided by 1Password to obtain an API Token. **Note:** A 1Password account is required""}, {""description"": ""**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created.""}, {""description"": ""This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-OnePassword-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."", ""title"": ""Option 1 - Azure Resource Manager (ARM) Template""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""1Password API Token"", ""description"": ""A 1Password API Token is required. [See the documentation to learn more about the 1Password API](https://developer.1password.com/docs/events-api/reference). **Note:** A 1Password account is required""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/deployment/1Password_data_connector.json","","Azure Function","Filename indicates Azure Function","","","","","false","1Password","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#1password-using-azure-functions" "1PasswordCCPDefinition","1Password","1Password (Serverless)","The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.","[{""title"": ""STEP 1 - Create a 1Password API token:"", ""description"": ""Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step.""}, {""title"": ""STEP 2 - Choose the correct base URL:"", ""description"": ""There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/').""}, {""title"": ""STEP 3 - Enter your 1Password Details:"", ""description"": ""Enter the 1Password base URL & API Token below:"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Base Url"", ""placeholder"": ""Enter your Base Url"", ""type"": ""text"", ""name"": ""BaseUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Token"", ""placeholder"": ""Enter your API Token"", ""type"": ""password"", ""name"": ""ApiToken""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""connect"", ""name"": ""connect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""1Password API token"", ""description"": ""A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","1Password","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Data%20Connectors/1Password_ccpv2/1Password_PollingConfig.json","APIKey;Paging;POST","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#1password-serverless" -"42CrunchAPIProtection","42Crunch","API Protection","Connects the 42Crunch API protection to Azure Log Analytics via the REST API interface","[{""title"": ""Step 1 : Read the detailed documentation"", ""description"": ""The installation process is documented in great detail in the GitHub repository [Microsoft Sentinel integration](https://github.com/42Crunch/azure-sentinel-integration). The user should consult this repository further to understand installation and debug of the integration.""}, {""title"": ""Step 2: Retrieve the workspace access credentials"", ""description"": ""The first installation step is to retrieve both your **Workspace ID** and **Primary Key** from the Microsoft Sentinel platform.\nCopy the values shown below and save them for configuration of the API log forwarder integration."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Step 3: Install the 42Crunch protection and log forwarder"", ""description"": ""The next step is to install the 42Crunch protection and log forwarder to protect your API. Both components are availabe as containers from the [42Crunch repository](https://hub.docker.com/u/42crunch). The exact installation will depend on your environment, consult the [42Crunch protection documentation](https://docs.42crunch.com/latest/content/concepts/api_firewall_deployment_architecture.htm) for full details. Two common installation scenarios are described below:\n"", ""innerSteps"": [{""title"": ""Installation via Docker Compose"", ""description"": ""The solution can be installed using a [Docker compose file](https://github.com/42Crunch/azure-sentinel-integration/blob/main/sample-deployment/docker-compose.yml).""}, {""title"": ""Installation via Helm charts"", ""description"": ""The solution can be installed using a [Helm chart](https://github.com/42Crunch/azure-sentinel-integration/tree/main/helm/sentinel).""}]}, {""title"": ""Step 4: Test the data ingestion"", ""description"": ""In order to test the data ingestion the user should deploy the sample *httpbin* application alongside the 42Crunch protection and log forwarder [described in detail here](https://github.com/42Crunch/azure-sentinel-integration/tree/main/sample-deployment)."", ""innerSteps"": [{""title"": ""4.1 Install the sample"", ""description"": ""The sample application can be installed locally using a [Docker compose file](https://github.com/42Crunch/azure-sentinel-integration/blob/main/sample-deployment/docker-compose.yml) which will install the httpbin API server, the 42Crunch API protection and the Microsoft Sentinel log forwarder. Set the environment variables as required using the values copied from step 2.""}, {""title"": ""4.2 Run the sample"", ""description"": ""Verfify the API protection is connected to the 42Crunch platform, and then exercise the API locally on the *localhost* at port 8080 using Postman, curl, or similar. You should see a mixture of passing and failing API calls. ""}, {""title"": ""4.3 Verify the data ingestion on Log Analytics"", ""description"": ""After approximately 20 minutes access the Log Analytics workspace on your Microsoft Sentinel installation, and locate the *Custom Logs* section verify that a *apifirewall_log_1_CL* table exists. Use the sample queries to examine the data.""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch/42CrunchAPIProtection.json","","REST Pull API","Title/description mentions REST API","","","","","false","42Crunch API Protection","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" +"42CrunchAPIProtection","42Crunch","API Protection","Connects the 42Crunch API protection to Azure Log Analytics via the REST API interface","[{""title"": ""Step 1 : Read the detailed documentation"", ""description"": ""The installation process is documented in great detail in the GitHub repository [Microsoft Sentinel integration](https://github.com/42Crunch/azure-sentinel-integration). The user should consult this repository further to understand installation and debug of the integration.""}, {""title"": ""Step 2: Retrieve the workspace access credentials"", ""description"": ""The first installation step is to retrieve both your **Workspace ID** and **Primary Key** from the Microsoft Sentinel platform.\nCopy the values shown below and save them for configuration of the API log forwarder integration."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Step 3: Install the 42Crunch protection and log forwarder"", ""description"": ""The next step is to install the 42Crunch protection and log forwarder to protect your API. Both components are availabe as containers from the [42Crunch repository](https://hub.docker.com/u/42crunch). The exact installation will depend on your environment, consult the [42Crunch protection documentation](https://docs.42crunch.com/latest/content/concepts/api_firewall_deployment_architecture.htm) for full details. Two common installation scenarios are described below:\n"", ""innerSteps"": [{""title"": ""Installation via Docker Compose"", ""description"": ""The solution can be installed using a [Docker compose file](https://github.com/42Crunch/azure-sentinel-integration/blob/main/sample-deployment/docker-compose.yml).""}, {""title"": ""Installation via Helm charts"", ""description"": ""The solution can be installed using a [Helm chart](https://github.com/42Crunch/azure-sentinel-integration/tree/main/helm/sentinel).""}]}, {""title"": ""Step 4: Test the data ingestion"", ""description"": ""In order to test the data ingestion the user should deploy the sample *httpbin* application alongside the 42Crunch protection and log forwarder [described in detail here](https://github.com/42Crunch/azure-sentinel-integration/tree/main/sample-deployment)."", ""innerSteps"": [{""title"": ""4.1 Install the sample"", ""description"": ""The sample application can be installed locally using a [Docker compose file](https://github.com/42Crunch/azure-sentinel-integration/blob/main/sample-deployment/docker-compose.yml) which will install the httpbin API server, the 42Crunch API protection and the Microsoft Sentinel log forwarder. Set the environment variables as required using the values copied from step 2.""}, {""title"": ""4.2 Run the sample"", ""description"": ""Verfify the API protection is connected to the 42Crunch platform, and then exercise the API locally on the *localhost* at port 8080 using Postman, curl, or similar. You should see a mixture of passing and failing API calls. ""}, {""title"": ""4.3 Verify the data ingestion on Log Analytics"", ""description"": ""After approximately 20 minutes access the Log Analytics workspace on your Microsoft Sentinel installation, and locate the *Custom Logs* section verify that a *apifirewall_log_1_CL* table exists. Use the sample queries to examine the data.""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch/42CrunchAPIProtection.json","","REST Pull API","Title/description mentions REST API","","","","","false","42Crunch API Protection","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "A365","Microsoft","Agent 365","Agent 365 data connector gives richer insights into AI agent activity by bringing AI agent telemetry from Agent 365, AI Foundry, and Copilot in the Microsoft Sentinel data lake to investigate agent behavior, tool usage, and execution with hunting, graph, and MCP workflows. Data from this connector is used to investigate AI agent behavior, tool usage, and execution in Microsoft Sentinel. If you have enabled these workflows, deactivating this connector will prevent those investigations from being performed.","[{""instructions"": [{""parameters"": {""type"": ""A365"", ""description"": ""1. Connect Agent 365 assets to ingest into Microsoft Sentinel Lake."", ""items"": [{""label"": ""UnifiedAgentObservability""}]}, ""type"": ""MSG""}]}]","{""tenant"": [""GlobalAdmin""]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Agent%20365/Data%20Connectors/A365_DataConnectorDefinition.json","","Unknown","Method not detected","","","","","false","Agent 365","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#agent-365" "AIVectraDetect","Vectra AI","[Deprecated] Vectra AI Detect via Legacy Agent","The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 over TCP, UDP or TLS.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward AI Vectra Detect logs to Syslog agent in CEF format"", ""description"": ""Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra%20AI%20Detect/Data%20Connectors/AIVectraDetect.json","","AMA","Title mentions Legacy Agent","Vectra Networks","X Series","{""CommonSecurityLog"": {""vendor"": [""Vectra Networks""], ""product"": [""X Series""]}}","CommonSecurityLog.DeviceEventClassID == ""hsc"" | CommonSecurityLog.DeviceEventClassID !in ""health,audit,campaigns,hsc,asc"" | CommonSecurityLog.DeviceProduct == ""X Series"" | CommonSecurityLog.DeviceVendor == ""Vectra Networks"" | _Computed.status != ""Other""","true","Vectra AI Detect","true","","true","","","","","","","" "AIVectraDetectAma","Vectra AI","[Deprecated] Vectra AI Detect via AMA","The AI Vectra Detect connector allows users to connect Vectra Detect logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives users more insight into their organization's network and improves their security operation capabilities.","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine""}, {""title"": ""Step B. Forward AI Vectra Detect logs to Syslog agent in CEF format"", ""description"": ""Configure Vectra (X Series) Agent to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nFrom the Vectra UI, navigate to Settings > Notifications and Edit Syslog configuration. Follow below instructions to set up the connection:\n\n- Add a new Destination (which is the host where the Microsoft Sentinel Syslog Agent is running)\n\n- Set the Port as **514**\n\n- Set the Protocol as **UDP**\n\n- Set the format to **CEF**\n\n- Set Log types (Select all log types available)\n\n- Click on **Save**\n\nUser can click the **Test** button to force send some test events.\n\n For more information, refer to Cognito Detect Syslog Guide which can be downloaded from the ressource page in Detect UI.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra%20AI%20Detect/Data%20Connectors/template_AIVectraDetectAma.json","","AMA","Title/ID indicates AMA","Vectra Networks","X Series","{""CommonSecurityLog"": {""vendor"": [""Vectra Networks""], ""product"": [""X Series""]}}","CommonSecurityLog.DeviceEventClassID == ""hsc"" | CommonSecurityLog.DeviceEventClassID !in ""health,audit,campaigns,hsc,asc"" | CommonSecurityLog.DeviceProduct =~ ""X Series"" | CommonSecurityLog.DeviceVendor =~ ""Vectra Networks"" | _Computed.status != ""Other""","true","Vectra AI Detect","true","","true","","","","","","","" @@ -18,6 +18,7 @@ "Agari","Agari","Agari Phishing Defense and Brand Protection","This connector uses a Agari REST API connection to push data into Microsoft Sentinel Log Analytics.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Agari APIs to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": ""STEP 1 - Get your Agari API credentials"", ""description"": ""\n1. Log into any Agari product (Client ID and Secret are the same for all applications) \n2. Click on your username in the upper right and select **Settings**\n3. Click on the **Generate API Secret** link to generate an API client_id and client_secret (the link will read **Regenerate API Secret** if you have already generated an API client ID/secret previously)\n4. Copy both the client_id and client_secret that are generated""}, {""title"": ""STEP 2 - (Optional) Enable the Security Graph API"", ""description"": ""Follow the instrcutions found on article [Connect Microsoft Sentinel to your threat intelligence platform](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence#connect-azure-sentinel-to-your-threat-intelligence-platform). Once the application is created you will need to record the Tenant ID, Client ID and Client Secret.""}, {""title"": ""STEP 3 - Deploy the connector and the associated Azure Function"", ""description"": ""\n>**IMPORTANT:** Before deploying the Agari Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Agari API credentials from the previous step."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Choose a deployement option"", ""description"": """"}, {""title"": ""Option 1: Deploy using the Azure Resource Manager (ARM) Template"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-agari-azuredeploy) \n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Agari Client ID**, **Agari Client Secret**, select `True` or `False` for the products you subscribe to, and if you wish to share IoCs with Sentinel, select `True` For **Enable Security Graph Sharing**, and enter the required IDs from the Azure Application.\n> - The Function App will request data from the Agari APIs every 5 minutes, corresponding to the Funciton App Timer.\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n6. **NOTE:** Due to the use of Environment Variables to store log access times, the App requires 1 additonal manual step. In the Function App, select the Function App Name and select Click on **Identity** and for System assigned Identity, click on **Azure role assignments** and **Add Role assignment**. Select **Subscription** as the scope, select your subscription and set the Role to **Contributor**. Click on **Save**.""}, {""title"": ""Option 2: Manual Deployment of Azure Functions"", ""description"": ""**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**.""}, {""title"": """", ""description"": ""**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Click on **Code + Test** on the left pane. \n3. Copy the [Function App Code](https://aka.ms/sentinel-agari-functionapp) and paste into the Function App `run.ps1` editor.\n3. Click **Save**.""}, {""title"": """", ""description"": ""**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following eight to twelve (8-12) application settings individually, with their respective string values (case-sensitive): \n\t\tclientID\n\t\tclientSecret\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\tenableBrandProtectionAPI\n\t\tenablePhishingResponseAPI\n\t\tenablePhishingDefenseAPI\n\t\tresGroup\n\t\tfunctionName\n\t\tsubId\n\t\tenableSecurityGraphSharing\n\t\t<--- Required if enableSecurityGraphSharing is set to true --->\n\t\tGraphTenantId\n\t\tGraphClientId\n\t\tGraphClientSecret\n\t\tlogAnalyticsUri (optional)\n> - Enter your Agari ClientID and Secret in 'clientId' and 'clientSecret'\n> - Enter 'true' or 'false' for 'enablePhishingDefense', 'enableBrandProtection', 'enablePhishingResponse' as per your product subscriptions.\n> - Enter your Resource Group name in resGroup, the name of the Function (from previous step) in functionName and your Subscription ID in subId.\n> - Enter 'true' or 'false' for 'enableSecurtyGraphAPI'. If you are enabling the Security Graph, the 'GraphTenantId','GraphClientId', and 'GraphClientSecret' is required.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n""}, {""title"": """", ""description"": ""**4. Set Permissions for the App**\n\n1. In the Function App, select the Function App Name and select Click on **Identity** and for System assigned Identity, set the status to On. \n\n2. Next, click on **Azure role assignments** and **Add Role assignment**. Select **Subscription** as the scope, select your subscription and set the Role to **Contributor**. Click on **Save**.""}, {""title"": """", ""description"": ""**5. Complete Setup.**\n\n1. Once all application settings have been entered, click **Save**. Note that it will take some time to have the required dependencies download, so you may see some inital failure messages.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Agari Phishing Defense, Phishing Response or Brand Protection API Client ID and Secret"", ""description"": ""Ensure you have your Client ID and Secret keys. Instructions can be found on the [Agari Developers Site](https://developers.agari.com/agari-platform/docs/quick-start).""}, {""name"": ""(Optional) Microsoft Security Graph API"", ""description"": ""The Agari Function App has the ability to share threat intelleigence with Microsoft Sentinel via the Security Graph API. To use this feature, you will need to enable the [Microsoft Sentinel Threat Intelligence Platforms connector](https://docs.microsoft.com/azure/sentinel/connect-threat-intelligence) as well as register an application in Azure Active Directory. ""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Agari/Data%20Connectors/Agari_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","Agari","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "AgariConnector","Microsoft","Fortra Agari Data Connector (via Codeless Connector Framework)","The [Fortra Agari Data Connector](https://www.agari.com/) allows ingesting logs from Fortra Agari APIs into Microsoft Sentinel. This connector integrates with Agari Brand Protection (BP), Phishing Defense (APD), and Phishing Response (APR) products. It supports DCR-based ingestion time transformations for efficient query execution. Refer to [Agari API documentation](https://developers.agari.com/agari-platform/reference/overview) for more information.","[{""title"": ""Configuration steps for the Agari API"", ""description"": ""Follow the instructions below to obtain your Agari API credentials."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. Retrieve API URL\nLog in to your Agari Console and navigate to the API section. The default API URL is https://api.agari.com""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Retrieve Client Credentials\nObtain your Client ID and Client Secret from the API credentials section in your Agari account. Note that different Agari products (Brand Protection, Phishing Defense, Phishing Response) may require separate API credentials.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Select Data Streams\nChoose which Agari data streams you want to collect. You can select one or more streams based on your subscription and requirements.""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Base API URL"", ""placeholder"": ""https://api.agari.com"", ""type"": ""text"", ""name"": ""apiUrl"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client ID"", ""placeholder"": ""Your Client ID"", ""type"": ""text"", ""name"": ""clientId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client Secret"", ""placeholder"": ""Your Client Secret"", ""type"": ""password"", ""name"": ""clientSecret"", ""validations"": {""required"": true}}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Data Streams to Collect"", ""name"": ""enabledPollers"", ""options"": [{""key"": ""BPAlerts"", ""text"": ""Brand Protection Alerts (with nested details)""}, {""key"": ""APDPolicy"", ""text"": ""Phishing Defense Policy Events""}, {""key"": ""APDThreatCategories"", ""text"": ""Phishing Defense Threat Categories""}, {""key"": ""BPThreatFeedSubmissions"", ""text"": ""Brand Protection Threat Feed URL Submissions (IoC)""}, {""key"": ""APRInvestigations"", ""text"": ""Phishing Response Investigation Attachments""}], ""isMultiSelect"": true, ""defaultAllSelected"": true, ""required"": true}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Agari/Data%20Connectors/Agari_CCF/Agari_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Agari","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Agari/Data%20Connectors/Agari_CCF/Agari_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Agari/Data%20Connectors/Agari_CCF/Agari_PollerConfig.json","OAuth2;Paging;Nested","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#fortra-agari-data-connector-via-codeless-connector-framework" "AirlockDigitalConnector","Microsoft","Airlock Digital connector (via Codeless Connector Framework)","The Airlock Digital connector collects application control and execution logs from your Airlock Digital server, providing visibility into file executions, server activities, and security event summaries in Microsoft Sentinel.","[{""title"": ""1. Configure Airlock Digital API Access"", ""description"": ""Provide API connection details for Airlock Digital"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""**Before you begin:**\r\n- Access to your Airlock Digital server\r\n- API Key from Airlock Digital (User Menu > Settings > API Keys)\r\n- Server must be accessible from Azure (ensure firewall allows connections)\r\n\r\n**Base URL:** Enter your Airlock Digital server URL. Default port is 3129 for REST API.\r\nExample: `https://airlock.company.com:3129`""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Base URL"", ""placeholder"": ""https://server.name:3129"", ""type"": ""text"", ""name"": ""BaseUrl"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""Enter your Airlock Digital API Key"", ""type"": ""password"", ""name"": ""apiKey"", ""validations"": {""required"": true}}}]}, {""title"": ""2. Connect and Start Data Collection"", ""description"": ""Click Connect to start ingesting Airlock Digital logs"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""**The connector collects:**\r\n- **Execution Histories**: File execution events including blocked, audited, and trusted executions with file hashes, publishers, and user details\r\n- **Server Activities**: Administrative actions, policy changes, agent check-ins, and repository updates\r\n- **File Activity Summary**: Aggregated statistics on file activity, security events, and execution trends\r\n\r\n**Data refresh:** Logs are retrieved every 5 minutes. Data should appear within 5-10 minutes after connection.""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Airlock Digital API Key"", ""description"": ""API Key with read access to logging endpoints. Generate from Airlock Digital Web UI: User Menu > Settings > API Keys.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AirlockDigital/Data%20Connectors/AirlockDigital_CCF/AirlockDigital_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","AirlockDigital","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AirlockDigital/Data%20Connectors/AirlockDigital_CCF/AirlockDigital_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AirlockDigital/Data%20Connectors/AirlockDigital_CCF/AirlockDigital_PollerConfig.json","APIKey;Paging;POST","","","","" +"AkamaiGuardicore","Akamai","Akamai Guardicore","The Akamai Guardicore connector uses the Codeless Connector Framework (CCF) to import Agents, Assets, Applications, and Policy Rules from a Guardicore Centra instance into Microsoft Sentinel via Data Collection Rule (DCR) ingestion. The connector polls every 10 minutes via Microsoft Sentinel's CCF runtime; no Azure Function App is deployed.","[{""title"": ""Connect Akamai Guardicore to Microsoft Sentinel"", ""description"": ""**Prerequisites**\n\n1. You must have a reachable Akamai Guardicore Centra management instance with API access enabled.\n2. Create (or obtain) an API user in Guardicore Centra with the **Read-only** role. This account must be authorized to call `/api/v3.0/authenticate`, `/api/v3.0/agents`, `/api/v3.0/assets`, `/api/v3.0/workflow/projects`, and `/api/v3.0/visibility/policy/rules`.\n3. Have the Guardicore management URL (for example `https://.cloud.guardicore.com`) and the service-account username and password ready.\n4. The connector polls every 10 minutes via Microsoft Sentinel's CCF runtime. No Azure Function App is deployed.\n\nProvide your Guardicore Centra service-account details and click **Connect** to start polling."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Guardicore Management URL"", ""placeholder"": ""https://.cloud.guardicore.com"", ""type"": ""text"", ""name"": ""guardicoreUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Guardicore Username"", ""placeholder"": ""service-account username"", ""type"": ""text"", ""name"": ""guardicoreUser""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Guardicore Password"", ""placeholder"": ""service-account password"", ""type"": ""password"", ""name"": ""guardicorePassword""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore/Data%20Connectors/AkamaiGuardicoreLogs_ccp/AkamaiGuardicore_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Akamai Guardicore","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore/Data%20Connectors/AkamaiGuardicoreLogs_ccp/AkamaiGuardicore_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore/Data%20Connectors/AkamaiGuardicoreLogs_ccp/AkamaiGuardicore_PollingConfig.json","JwtToken;Paging","","","","" "AkamaiSecurityEvents","Akamai","[Deprecated] Akamai Security Events via Legacy Agent","Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.","[{""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.""}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Security%20Events/Data%20Connectors/Connector_CEF_Akamai.json","","AMA","Title mentions Legacy Agent","Akamai","akamai_siem","{""CommonSecurityLog"": {""vendor"": [""Akamai""], ""product"": [""akamai_siem""]}}","CommonSecurityLog.DeviceProduct == ""akamai_siem"" | CommonSecurityLog.DeviceVendor == ""Akamai""","true","Akamai Security Events","true","","true","","","","","","","" "AkamaiSecurityEventsAma","Akamai","[Deprecated] Akamai Security Events via AMA","Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Security%20Events/Data%20Connectors/template_AkamaiSecurityEventsAMA.json","","AMA","Title/ID indicates AMA","Akamai","akamai_siem","{""CommonSecurityLog"": {""vendor"": [""Akamai""], ""product"": [""akamai_siem""]}}","CommonSecurityLog.DeviceProduct =~ ""akamai_siem"" | CommonSecurityLog.DeviceVendor =~ ""Akamai""","true","Akamai Security Events","true","","true","","","","","","","" "AliCloud","AliCloud","AliCloud","The [AliCloud](https://www.alibabacloud.com/product/log-service) data connector provides the capability to retrieve logs from cloud applications using the Cloud API and store events into Microsoft Sentinel through the [REST API](https://aliyun-log-python-sdk.readthedocs.io/api.html). The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AliCloud**](https://aka.ms/sentinel-AliCloud-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the AliCloud API**\n\n Follow the instructions to obtain the credentials.\n\n1. Obtain the **AliCloudAccessKeyId** and **AliCloudAccessKey**: log in the account, click on AccessKey Management then click View Secret.\n2. Save credentials for using in the data connector.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the AliCloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the AliCloud data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-AliCloudAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **WorkspaceID**, **WorkspaceKey**, **AliCloudAccessKeyId**, **AliCloudAccessKey**, **AliCloudProjects** and **AppInsightsWorkspaceResourceID** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": """", ""description"": ""**Option 2 - Manual Deployment of Azure Functions**\n\nUse the following step-by-step instructions to deploy the AliCloud data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-AliCloudAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AliCloudXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAliCloudAccessKeyId\n\t\tAliCloudAccessKey\n\t\tAliCloudProjects\n\t\tAppInsightsWorkspaceResourceID\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**AliCloudAccessKeyId** and **AliCloudAccessKey** are required for making API calls.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alibaba%20Cloud/DataConnectors/AliCloud_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Alibaba Cloud","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#alicloud-using-azure-functions" @@ -33,7 +34,7 @@ "ArmisAlerts","Armis","Armis Alerts","The [Armis](https://www.armis.com/) Alerts connector gives the capability to ingest Armis Alerts into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ArmisAlertsAPI-parser) to create the Kusto functions alias, **ArmisAlerts**""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts connector configuration""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Alert data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Armis Alert data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Armis Secret Key** is required. See the documentation to learn more about API on the `https://.armis.com/api/v1/doc`""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis/Data%20Connectors/ArmisAlerts/ArmisAlerts_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","Armis","false","","false","","","","Undetermined","Azure Function code contains both Log Ingestion API and HTTP Data Collector API patterns","","" "ArmisAlertsActivities","Armis","Armis Alerts Activities","The [Armis](https://www.armis.com/) Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities/ArmisAlerts and load the function code. The function usually takes 10-15 minutes to activate after solution installation/update.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts Activities connector configuration""}, {""title"": """", ""description"": ""**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of Armis Alerts Activities Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)""}, {""title"": """", ""description"": ""**STEP 3 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of Armis Alerts Activities Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of Armis Alerts Activities Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)""}, {""title"": """", ""description"": ""**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n""}, {""title"": """", ""description"": ""**STEP 5 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)""}, {""title"": """", ""description"": ""**STEP 6 - Create a Keyvault**\n\n Follow these instructions to create a new Keyvault.\n 1. In the Azure portal, Go to **Key vaults**. Click create.\n 2. Select Subsciption, Resource Group and provide unique name of keyvault.\n\n> **NOTE:** Create a separate key vault for each **API key** within one workspace.""}, {""title"": """", ""description"": ""**STEP 7 - Create Access Policy in Keyvault**\n\n Follow these instructions to create access policy in Keyvault.\n 1. Go to keyvaults, select your keyvault, go to Access policies on left side panel. Click create.\n 2. Select all keys & secrets permissions. Click next.\n 3. In the principal section, search by application name which was generated in STEP - 2. Click next.\n\n> **NOTE:** Ensure the Permission model in the Access Configuration of Key Vault is set to **'Vault access policy'**""}, {""title"": """", ""description"": ""**STEP 8 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Device data connector, have the Armis API Authorization Key(s) readily available..""}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace Name \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tSeverity (Default: Low) \n\t\tArmis Schedule \n\t\tKeyVault Name \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tAzure Entra ObjectID \n\t\tTenant Id \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Armis Alerts Activities data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsActivities320-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.12\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace Name \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tSeverity (Default: Low) \n\t\tArmis Schedule \n\t\tKeyVault Name \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tAzure Entra ObjectID \n\t\tTenant Id \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Armis Secret Key** is required. See the documentation to learn more about API on the `https://.armis.com/api/v1/doc`""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis/Data%20Connectors/ArmisAlertsActivities/ArmisAlertsActivities_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Armis","false","","true","","","","Log Ingestion API|Undetermined","Sibling ARM template declares DCR / Log Ingestion API resources|Azure Function code contains both Log Ingestion API and HTTP Data Collector API patterns","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#armis-alerts-activities-using-azure-functions" "ArmisDevices","Armis","Armis Devices","The [Armis](https://www.armis.com/) Device connector gives the capability to ingest Armis Devices into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get device information from the Armis platform. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. Armis can also integrate with your existing IT & security management tools to identify and classify each and every device, managed or unmanaged in your environment.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ArmisDevice-parser) to create the Kusto functions alias, **ArmisDevice**""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Device connector configuration""}, {""title"": """", ""description"": ""**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of Armis Device Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)""}, {""title"": """", ""description"": ""**STEP 3 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of Armis Device Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of Armis Device Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)""}, {""title"": """", ""description"": ""**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n""}, {""title"": """", ""description"": ""**STEP 5 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)""}, {""title"": """", ""description"": ""**STEP 6 - Create a Keyvault**\n\n Follow these instructions to create a new Keyvault.\n 1. In the Azure portal, Go to **Key vaults**. Click create.\n 2. Select Subsciption, Resource Group and provide unique name of keyvault.\n\n> **NOTE:** Create a separate key vault for each **API key** within one workspace.""}, {""title"": """", ""description"": ""**STEP 7 - Create Access Policy in Keyvault**\n\n Follow these instructions to create access policy in Keyvault.\n 1. Go to keyvaults, select your keyvault, go to Access policies on left side panel. Click create.\n 2. Select all keys & secrets permissions. Click next.\n 3. In the principal section, search by application name which was generated in STEP - 2. Click next.\n\n> **NOTE:** Ensure the Permission model in the Access Configuration of Key Vault is set to **'Vault access policy'**""}, {""title"": """", ""description"": ""**STEP 8 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Device data connector, have the Armis API Authorization Key(s) readily available..""}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisDevice-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisDevice-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tLocation \n\t\tWorkspace Name \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Device Table Name \n\t\tArmis Schedule \n\t\tKeyVault Name \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tAzure Entra ObjectID \n\t\tTenant Id \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Armis Device data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisDevice320-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.12\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tLocation \n\t\tWorkspace Name \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Device Table Name \n\t\tArmis Schedule \n\t\tKeyVault Name \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tAzure Entra ObjectID \n\t\tTenant Id \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Armis Secret Key** is required. See the documentation to learn more about API on the `https://.armis.com/api/v1/doc`""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis/Data%20Connectors/ArmisDevice/ArmisDevice_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Armis","false","","true","","","","Log Ingestion API|Undetermined","Sibling ARM template declares DCR / Log Ingestion API resources|Azure Function code contains both Log Ingestion API and HTTP Data Collector API patterns","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#armis-devices-using-azure-functions" -"Armorblox","Armorblox","Armorblox","The [Armorblox](https://www.armorblox.com/) data connector provides the capability to ingest incidents from your Armorblox instance into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Armorblox API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Armorblox API**\n\n Follow the instructions to obtain the API token.\n\n1. Log in to the Armorblox portal with your credentials.\n2. In the portal, click **Settings**.\n3. In the **Settings** view, click **API Keys**\n4. Click **Create API Key**.\n5. Enter the required information.\n6. Click **Create**, and copy the API token displayed in the modal.\n7. Save API token for using in the data connector.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armorblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Armorblox data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-armorblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **ArmorbloxAPIToken**, **ArmorbloxInstanceURL** OR **ArmorbloxInstanceName**, and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Armorblox data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-armorblox-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. Armorblox).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tArmorbloxAPIToken\n\t\tArmorbloxInstanceName OR ArmorbloxInstanceURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLogAnalyticsUri (optional)\n> - Use LogAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Armorblox Instance Details"", ""description"": ""**ArmorbloxInstanceName** OR **ArmorbloxInstanceURL** is required""}, {""name"": ""Armorblox API Credentials"", ""description"": ""**ArmorbloxAPIToken** is required""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Data%20Connectors/Armorblox_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Armorblox","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" +"Armorblox","Armorblox","Armorblox","The [Armorblox](https://www.armorblox.com/) data connector provides the capability to ingest incidents from your Armorblox instance into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Armorblox API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Armorblox API**\n\n Follow the instructions to obtain the API token.\n\n1. Log in to the Armorblox portal with your credentials.\n2. In the portal, click **Settings**.\n3. In the **Settings** view, click **API Keys**\n4. Click **Create API Key**.\n5. Enter the required information.\n6. Click **Create**, and copy the API token displayed in the modal.\n7. Save API token for using in the data connector.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armorblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Armorblox data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-armorblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **ArmorbloxAPIToken**, **ArmorbloxInstanceURL** OR **ArmorbloxInstanceName**, and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Armorblox data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-armorblox-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. Armorblox).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tArmorbloxAPIToken\n\t\tArmorbloxInstanceName OR ArmorbloxInstanceURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLogAnalyticsUri (optional)\n> - Use LogAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Armorblox Instance Details"", ""description"": ""**ArmorbloxInstanceName** OR **ArmorbloxInstanceURL** is required""}, {""name"": ""Armorblox API Credentials"", ""description"": ""**ArmorbloxAPIToken** is required""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox/Data%20Connectors/Armorblox_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Armorblox","false","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "ArubaClearPass","Aruba Networks","[Deprecated] Aruba ClearPass via Legacy Agent","The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Aruba ClearPass logs to a Syslog agent"", ""description"": ""Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Aruba%20ClearPass/Data%20Connectors/Connector_Syslog_ArubaClearPass.json","","AMA","Title mentions Legacy Agent","Aruba Networks","ClearPass","{""CommonSecurityLog"": {""vendor"": [""Aruba Networks""], ""product"": [""ClearPass""]}}","CommonSecurityLog.DeviceProduct == ""ClearPass"" | CommonSecurityLog.DeviceVendor == ""Aruba Networks"" | _Computed.DeviceCustomDate1Label == ""Endpoint.Added-At"" | _Computed.DeviceCustomString3Label == ""Endpoint.Device-Category"" | _Computed.DeviceCustomString4Label == ""Endpoint.Device-Family"" | _Computed.DeviceCustomString5Label == ""Endpoint.Device-Name"" | _Computed.DeviceCustomString6Label == ""Endpoint.MAC-Vendor""","true","Aruba ClearPass","true","","true","","","","","","","" "ArubaClearPassAma","Aruba Networks","[Deprecated] Aruba ClearPass via AMA","The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward Aruba ClearPass logs to a Syslog agent"", ""description"": ""Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Aruba%20ClearPass/Data%20Connectors/template_ArubaClearPassAMA.json","","AMA","Title/ID indicates AMA","Aruba Networks","ClearPass","{""CommonSecurityLog"": {""vendor"": [""Aruba Networks""], ""product"": [""ClearPass""]}}","CommonSecurityLog.DeviceProduct =~ ""ClearPass"" | CommonSecurityLog.DeviceVendor =~ ""Aruba Networks"" | _Computed.DeviceCustomDate1Label == ""Endpoint.Added-At"" | _Computed.DeviceCustomString3Label == ""Endpoint.Device-Category"" | _Computed.DeviceCustomString4Label == ""Endpoint.Device-Family"" | _Computed.DeviceCustomString5Label == ""Endpoint.Device-Name"" | _Computed.DeviceCustomString6Label == ""Endpoint.MAC-Vendor""","true","Aruba ClearPass","true","","true","","","","","","","" "AtlassianBeaconAlerts","DEFEND Ltd.","Atlassian Beacon Alerts","Atlassian Beacon is a cloud product that is built for Intelligent threat detection across the Atlassian platforms (Jira, Confluence, and Atlassian Admin). This can help users detect, investigate and respond to risky user activity for the Atlassian suite of products. The solution is a custom data connector from DEFEND Ltd. that is used to visualize the alerts ingested from Atlassian Beacon to Microsoft Sentinel via a Logic App.","[{""description"": "">1. Navigate to the newly installed Logic App 'Atlassian Beacon Integration'\n\n>2. Navigate to 'Logic app designer'\n\n>3. Expand the 'When a HTTP request is received'\n\n>4. Copy the 'HTTP POST URL'"", ""title"": ""1. Microsoft Sentinel""}, {""description"": "">1. Login to Atlassian Beacon using an admin account\n\n>2. Navigate to 'SIEM forwarding' under SETTINGS\n\n> 3. Paste the copied URL from Logic App in the text box\n\n> 4. Click the 'Save' button"", ""title"": ""2. Atlassian Beacon""}, {""description"": "">1. Login to Atlassian Beacon using an admin account\n\n>2. Navigate to 'SIEM forwarding' under SETTINGS\n\n> 3. Click the 'Test' button right next to the newly configured webhook\n\n> 4. Navigate to Microsoft Sentinel\n\n> 5. Navigate to the newly installed Logic App\n\n> 6. Check for the Logic App Run under 'Runs history'\n\n> 7. Check for logs under the table name 'atlassian_beacon_alerts_CL' in 'Logs'\n\n> 8. If the analytic rule has been enabled, the above Test alert should have created an incident in Microsoft Sentinel"", ""title"": ""3. Testing and Validation""}]","{""resourceProvider"": [{""permissionsDisplayText"": ""read and write permissions are required."", ""provider"": ""Microsoft.OperationalInsights/workspaces"", ""providerDisplayName"": ""Workspace"", ""requiredPermissions"": {""delete"": true, ""read"": true, ""write"": true}, ""scope"": ""Workspace""}, {""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""providerDisplayName"": ""Keys"", ""requiredPermissions"": {""action"": true}, ""scope"": ""Workspace""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Integration%20for%20Atlassian%20Beacon/Data%20Connectors/AtlassianBeacon_DataConnector.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Integration for Atlassian Beacon","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#atlassian-beacon-alerts" @@ -82,7 +83,7 @@ "Bitglass","Bitglass","Bitglass","The [Bitglass](https://www.bitglass.com/) data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Bitglass**](https://aka.ms/sentinel-bitglass-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Bitglass Log Retrieval API**\n\n Follow the instructions to obtain the credentials.\n\n1. Please contact Bitglass [support](https://pages.bitglass.com/Contact.html) and obtain the **BitglassToken** and **BitglassServiceURL** ntation].\n2. Save credentials for using in the data connector.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Bitglass data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Bitglass data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-bitglass-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **BitglassToken**, **BitglassServiceURL** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Bitglass data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-bitglass-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. BitglassXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tBitglassToken\n\t\tBitglassServiceURL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**BitglassToken** and **BitglassServiceURL** are required for making API calls.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Data%20Connectors/Bitglass_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Bitglass","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#bitglass-using-azure-functions" "BitwardenEventLogs","Bitwarden Inc","Bitwarden Event Logs","This connector provides insight into activity of your Bitwarden organization such as user's activity (logged in, changed password, 2fa, etc.), cipher activity (created, updated, deleted, shared, etc.), collection activity, organization activity, and more.","[{""description"": ""Your API key can be found in the Bitwarden organization admin console.\nPlease see [Bitwarden documentation](https://bitwarden.com/help/public-api/#authentication) for more information.\nSelf-hosted Bitwarden servers may need to reconfigure their installation's URL."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Bitwarden Identity Url"", ""placeholder"": ""https://identity.bitwarden.com"", ""type"": ""text"", ""name"": ""identityEndpoint""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Bitwarden Api Url"", ""placeholder"": ""https://api.bitwarden.com"", ""type"": ""text"", ""name"": ""apiEndpoint""}}, {""type"": ""OAuthForm"", ""parameters"": {""clientIdLabel"": ""Client ID"", ""clientSecretLabel"": ""Client Secret"", ""connectButtonLabel"": ""Connect"", ""disconnectButtonLabel"": ""Disconnect""}}], ""title"": ""Connect Bitwarden Event Logs to Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Bitwarden Client Id and Client Secret"", ""description"": ""Your API key can be found in the Bitwarden organization admin console. Please see [Bitwarden documentation](https://bitwarden.com/help/public-api/#authentication) for more information.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitwarden/Data%20Connectors/BitwardenEventLogs/definitions.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Bitwarden","false","","true","","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitwarden/Data%20Connectors/BitwardenEventLogs/connectors.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#bitwarden-event-logs" "BlackberryCylancePROTECT","Blackberry","[Deprecated] Blackberry CylancePROTECT","The [Blackberry CylancePROTECT](https://www.blackberry.com/us/en/products/blackberry-protect) connector allows you to easily connect your CylancePROTECT logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.","[{""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias CyclanePROTECT and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blackberry%20CylancePROTECT/Parsers/CylancePROTECT.txt), on the second line of the query, enter the hostname(s) of your CyclanePROTECT device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.""}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Select the link below to open your workspace **agents configuration**, and select the **Syslog** tab.\n2. Select **Add facility** and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click **Apply**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure and connect the CylancePROTECT"", ""description"": ""[Follow these instructions](https://docs.blackberry.com/content/dam/docs-blackberry-com/release-pdfs/en/cylance-products/syslog-guides/Cylance%20Syslog%20Guide%20v2.0%20rev12.pdf) to configure the CylancePROTECT to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""CylancePROTECT"", ""description"": ""must be configured to export logs via Syslog.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blackberry%20CylancePROTECT/Data%20Connectors/template_BlackberryCylancePROTECT.JSON","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.SyslogMessage contains ""AuditLog"" | Syslog.SyslogMessage contains ""Device,"" | Syslog.SyslogMessage contains ""DeviceControl"" | Syslog.SyslogMessage contains ""ScriptControl"" | Syslog.SyslogMessage contains ""Threat""","true","Blackberry CylancePROTECT","true","","true","","","","","","","" -"BloodHoundEnterprise","SpecterOps","BloodHound Enterprise Data Connector (using Azure Functions)","**[BloodHound Enterprise](https://bloodhoundenterprise.io/)** from **[SpecterOps](https://specterops.io/)** is an **Identity Attack Path Management** platform: it maps how attackers can move through identity relationships to reach critical assets so teams can **prioritize and remediate** those paths not only detect them. It brings clarity to identity sprawl in **Active Directory**, **Azure**, and beyond, including **Privilege Zone** style protection around what matters most in your environment.

This **Microsoft Sentinel** connector adds **BloodHound Enterprise attack path context** into your workspace alongside logs and alerts so you can **enrich investigations**, focus on high-value findings, and track exposure, audit activity, and **Tier Zero** assets in one place.

**What this connector does**
- Connects to the **BloodHound Enterprise REST API** using your configured credentials (see [Working with the API](https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api)) and runs on a **schedule** you set when the Azure Function is deployed. The data is collected through Azure Functions and stored in custom Log Analytics tables with dedicated Data Collection Rules (DCR) and Data Collection Endpoints (DCE).","[{""title"": ""Step 1. Create BloodHound Enterprise API credentials"", ""description"": ""In your BloodHound Enterprise tenant, create API credentials (**Token ID** and **Token key**) used to sign requests to the REST API. Follow [Working with the API](https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api) to create API credentials then store the values securely.""}, {""title"": ""Step 2. Create Microsoft Entra application"", ""description"": ""Create a Microsoft Entra ID (Azure AD) application used for ingestion to Log Analytics (for example DCE/DCR-related access). Follow [Create a Microsoft Entra application](https://learn.microsoft.com/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-microsoft-entra-application) to create Microsoft Entra application & its credentials then save **Application (client) ID**, **Client secret** value, and any other IDs your administrator requires. Store the client secret securely.""}, {""title"": ""Step 3. Deploy Function App"", ""description"": "">**NOTE:** This connector uses Azure Functions to pull data from BloodHound Enterprise into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**IMPORTANT:** Before deploying the BloodHound Enterprise connector, have the **Workspace name** (see below), **BloodHound Enterprise tenant URL**, **Token ID** and **Token key**, **Microsoft Entra Application (client) ID** and **client secret**, and your desired **environment** and **finding type** filters (or use template defaults such as **All**) ready."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceName""], ""label"": ""Workspace Name""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Deploy all the resources related to the data connector"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BloodhoundEnterprise-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group**, and **Location**.\n3. Enter **Function App name**, **Log Analytics workspace name** (Microsoft Sentinel workspace), **BloodHound Enterprise tenant domain** (URL), **BloodHound Token ID** and **Token key** (secure parameters), **Microsoft Entra Application (client) ID**, and **Microsoft Entra application client secret**.\n4. Optional: set **Lookup days** (historical lookback), **Selected BloodHound environments** (comma-separated or **All**), and **Selected finding types** (or **All**) as described in the template.\n5. Click **Review + create**, then **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""BloodHound Enterprise API access"", ""description"": ""**Token ID**, **Token key**, and your tenant **base URL** are required to authenticate to the BloodHound Enterprise REST API (requests are signed per the SpecterOps API model see [Working with the API](https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api)).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise/Data%20Connectors/BloodHoundFunction.json","","Azure Function","Description mentions Azure Functions","","","","","false","BloodHound Enterprise","false","","true","","","","Log Ingestion API|HTTP Data Collector API","Sibling ARM template declares DCR / Log Ingestion API resources|Connector definition requires workspace key (SharedKey pattern)","","" +"BloodHoundEnterprise","SpecterOps","BloodHound Enterprise Data Connector (using Azure Functions)","**[BloodHound Enterprise](https://bloodhoundenterprise.io/)** from **[SpecterOps](https://specterops.io/)** is an **Identity Attack Path Management** platform: it maps how attackers can move through identity relationships to reach critical assets so teams can **prioritize and remediate** those paths not only detect them. It brings clarity to identity sprawl in **Active Directory**, **Azure**, and beyond, including **Privilege Zone** style protection around what matters most in your environment.

This **Microsoft Sentinel** connector adds **BloodHound Enterprise attack path context** into your workspace alongside logs and alerts so you can **enrich investigations**, focus on high-value findings, and track exposure, audit activity, and **Tier Zero** assets in one place.

**What this connector does**
- Connects to the **BloodHound Enterprise REST API** using your configured credentials (see [Working with the API](https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api)) and runs on a **schedule** you set when the Azure Function is deployed. The data is collected through Azure Functions and stored in custom Log Analytics tables with dedicated Data Collection Rules (DCR) and Data Collection Endpoints (DCE).","[{""title"": ""Step 1. Create BloodHound Enterprise API credentials"", ""description"": ""In your BloodHound Enterprise tenant, create API credentials (**Token ID** and **Token key**) used to sign requests to the REST API. Follow [Working with the API](https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api) to create API credentials then store the values securely.""}, {""title"": ""Step 2. Create Microsoft Entra application"", ""description"": ""Create a Microsoft Entra ID (Azure AD) application used for ingestion to Log Analytics (for example DCE/DCR-related access). Follow [Create a Microsoft Entra application](https://learn.microsoft.com/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-microsoft-entra-application) to create Microsoft Entra application & its credentials then save **Application (client) ID**, **Client secret** value, and any other IDs your administrator requires. Store the client secret securely.""}, {""title"": ""Step 3. Deploy Function App"", ""description"": "">**NOTE:** This connector uses Azure Functions to pull data from BloodHound Enterprise into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**IMPORTANT:** Before deploying the BloodHound Enterprise connector, have the **Workspace name** (see below), **BloodHound Enterprise tenant URL**, **Token ID** and **Token key**, **Microsoft Entra Application (client) ID** and **client secret**, and your desired **environment** and **finding type** filters (or use template defaults such as **All**) ready."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceName""], ""label"": ""Workspace Name""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Deploy all the resources related to the data connector"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BloodhoundEnterprise-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group**, and **Location**.\n3. Enter **Function App name**, **Log Analytics workspace name** (Microsoft Sentinel workspace), **BloodHound Enterprise tenant domain** (URL), **BloodHound Token ID** and **Token key** (secure parameters), **Microsoft Entra Application (client) ID**, and **Microsoft Entra application client secret**.\n4. Optional: set **Lookup days** (historical lookback), **Selected BloodHound environments** (comma-separated or **All**), and **Selected finding types** (or **All**) as described in the template.\n5. Click **Review + create**, then **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""BloodHound Enterprise API access"", ""description"": ""**Token ID**, **Token key**, and your tenant **base URL** are required to authenticate to the BloodHound Enterprise REST API (requests are signed per the SpecterOps API model see [Working with the API](https://bloodhound.specterops.io/integrations/bloodhound-api/working-with-api)).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise/Data%20Connectors/BloodHoundFunction.json","","Azure Function","Description mentions Azure Functions","","","","","false","BloodHound Enterprise","false","","false","","","","Log Ingestion API|HTTP Data Collector API","Sibling ARM template declares DCR / Log Ingestion API resources|Connector definition requires workspace key (SharedKey pattern)","","" "BoschAIShield","Bosch","AIShield","[AIShield](https://www.boschaishield.com/) connector allows users to connect with AIShield custom defense mechanism logs with Microsoft Sentinel, allowing the creation of dynamic Dashboards, Workbooks, Notebooks and tailored Alerts to improve investigation and thwart attacks on AI systems. It gives users more insight into their organization's AI assets security posturing and improves their AI systems security operation capabilities.AIShield.GuArdIan analyzes the LLM generated content to identify and mitigate harmful content, safeguarding against legal, policy, role based, and usage based violations","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AIShield**](https://aka.ms/sentinel-boschaishield-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": ""\n>**IMPORTANT:** Before deploying the AIShield Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Note"", ""description"": ""Users should have utilized AIShield SaaS offering to conduct vulnerability analysis and deployed custom defense mechanisms generated along with their AI asset. [**Click here**](https://azuremarketplace.microsoft.com/marketplace/apps/rbei.bgsw_aishield_product) to know more or get in touch.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring/Data%20Connectors/AIShieldConnector.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","AIShield AI Security Monitoring","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#aishield" "BoxDataConnector","Box","[DEPRECATED] Box Events (using Azure Function)","The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Box REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration of the Box events collection**\n\nSee documentation to [setup JWT authentication](https://developer.box.com/guides/authentication/jwt/jwt-setup/) and [obtain JSON file with credentials](https://developer.box.com/guides/authentication/jwt/with-sdk/#prerequisites).""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Box data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Box JSON configuration file, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Box data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-BoxDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**, **BoxConfigJSON**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Box data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the [Azure Function App](https://aka.ms/sentinel-BoxDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tBOX_CONFIG_JSON\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Box API Credentials"", ""description"": ""Box config JSON file is required for Box REST API JWT authentication. [See the documentation to learn more about JWT authentication](https://developer.box.com/guides/authentication/jwt/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Data%20Connectors/Box_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Box","true","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#box-events-ccp" "BoxEventsCCPDefinition","Microsoft","Box Events (via Codeless Connector Framework)","The Box data connector provides the capability to ingest [Box enterprise's events](https://developer.box.com/guides/events/#admin-events) into Microsoft Sentinel using the Box REST API. Refer to [Box documentation](https://developer.box.com/guides/events/enterprise-events/for-enterprise/) for more information.","[{""description"": "">**NOTE:** This connector uses Codeless Connecor Platform (CCP) to connect to the Box REST API to pull logs into Microsoft Sentinel.""}, {""description"": "">**NOTE:** This connector depends on a parser based on Kusto Function to work as expected [**BoxEvents**](https://aka.ms/sentinel-BoxDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""description"": ""**STEP 1 - Create Box Custom Application**\n\nSee documentation to [setup client credentials authentication](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)\n""}, {""description"": ""**STEP 2 - Grab Client ID and Client Secret values**\n\nYou might need to setup 2FA to fetch the secret.\n""}, {""description"": ""**STEP 3 - Grab Box Enterprise ID from Box Admin Console**\n\nSee documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)\n""}, {""description"": ""Provide the required values below:\n"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Box Enterprise ID"", ""placeholder"": ""123456"", ""type"": ""text"", ""name"": ""boxEnterpriseId""}}, {""type"": ""OAuthForm"", ""parameters"": {""clientIdLabel"": ""Client ID"", ""clientSecretLabel"": ""Client Secret"", ""connectButtonLabel"": ""Connect"", ""disconnectButtonLabel"": ""Disconnect""}}], ""title"": ""Connect to Box to start collecting event logs to Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Box API credentials"", ""description"": ""Box API requires a Box App client ID and client secret to authenticate. [See the documentation to learn more about Client Credentials grant](https://developer.box.com/guides/authentication/client-credentials/client-credentials-setup/)""}, {""name"": ""Box Enterprise ID"", ""description"": ""Box Enterprise ID is required to make the connection. See documentation to [find Enterprise ID](https://developer.box.com/platform/appendix/locating-values/)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Data%20Connectors/BoxEvents_ccp/BoxEvents_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Box","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Data%20Connectors/BoxEvents_ccp/BoxEvents_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Data%20Connectors/BoxEvents_ccp/BoxEvents_DataConnectorPoller.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#box-events-ccp" @@ -101,12 +102,13 @@ "CiscoAsaAma","Microsoft","Cisco ASA/FTD via AMA","The Cisco ASA firewall connector allows you to easily connect your Cisco ASA logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.","[{""title"": ""Enable data collection rule\u200b"", ""description"": ""> Cisco ASA/FTD event logs are collected only from **Linux** agents."", ""instructions"": [{""type"": ""CiscoAsaAma""}]}, {""instructions"": [{""parameters"": {""linkType"": ""OpenCreateDataCollectionRule"", ""dataCollectionRuleType"": 4}, ""type"": ""InstallAgent""}]}, {""title"": ""Run the following command to install and apply the Cisco ASA/FTD collector:"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": """", ""value"": ""sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces/datasources"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace data sources"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoASA/Data%20Connectors/template_CiscoAsaAma.JSON","","AMA","Title/ID indicates AMA","Cisco","","{""CommonSecurityLog"": {""vendor"": [""Cisco""], ""product"": []}}","CommonSecurityLog.DeviceProduct in ""ASA,FTD"" | CommonSecurityLog.DeviceVendor == ""Cisco""","false","CiscoASA","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-asaftd-via-ama" "CiscoDuoSecurity","Cisco","Cisco Duo Security","The Cisco Duo Security data connector provides the capability to ingest [authentication logs](https://duo.com/docs/adminapi#authentication-logs), [administrator logs](https://duo.com/docs/adminapi#administrator-logs), [telephony logs](https://duo.com/docs/adminapi#telephony-logs), [offline enrollment logs](https://duo.com/docs/adminapi#offline-enrollment-logs) and [Trust Monitor events](https://duo.com/docs/adminapi#trust-monitor) into Microsoft Sentinel using the Cisco Duo Admin API. Refer to [API documentation](https://duo.com/docs/adminapi) for more information.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Cisco Duo API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoDuo**](https://aka.ms/sentinel-CiscoDuoSecurity-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Obtaining Cisco Duo Admin API credentials**\n\n1. Follow [the instructions](https://duo.com/docs/adminapi#first-steps) to obtain **integration key**, **secret key**, and **API hostname**. Use **Grant read log** permission in the 4th step of [the instructions](https://duo.com/docs/adminapi#first-steps).""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CiscoDuoSecurity-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CiscoDuoSecurity-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Cisco Duo Integration Key**, **Cisco Duo Secret Key**, **Cisco Duo API Hostname**, **Cisco Duo Log Types**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the [Azure Function App](https://aka.ms/sentinel-CiscoDuoSecurity-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCISCO_DUO_INTEGRATION_KEY\n\t\tCISCO_DUO_SECRET_KEY\n\t\tCISCO_DUO_API_HOSTNAME\n\t\tCISCO_DUO_LOG_TYPES\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Cisco Duo API credentials"", ""description"": ""Cisco Duo API credentials with permission *Grant read log* is required for Cisco Duo API. See the [documentation](https://duo.com/docs/adminapi#first-steps) to learn more about creating Cisco Duo API credentials.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Data%20Connectors/CiscoDuo_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","CiscoDuoSecurity","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-duo-security-using-azure-functions" "CiscoETD","Cisco","Cisco ETD","The connector fetches data from ETD api for threat analysis","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the ETD API to pull its logs into Microsoft Sentinel.""}, {""title"": """", ""description"": ""**Follow the deployment steps to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the ETD data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).\n"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Cisco ETD data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CiscoETD-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the **WorkspaceID**, **SharedKey**, **ClientID**, **ClientSecret**, **ApiKey**, **Verdicts**, **ETD Region**\n4. Click **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Email Threat Defense API, API key, Client ID and Secret"", ""description"": ""Ensure you have the API key, Client ID and Secret key.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ETD/Data%20Connectors/CiscoETD_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Cisco ETD","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-etd-using-azure-functions" +"CiscoETDConnectorDefinition","Cisco","Cisco Email Threat Defense (ETD)","The [Cisco Email Threat Defense (ETD)](https://docs.cmd.cisco.com/en/Content/secure-email-threat-defense-user-guide/homeUG.htm) data connector provides the capability to ingest [message events](https://docs.cmd.cisco.com/en/Content/secure-email-threat-defense-user-guide/Messages/messages.htm) from Cisco ETD into Microsoft Sentinel using the [Log Export API](https://developer.cisco.com/docs/message-search-api/log-export-api/).","[{""title"": ""Connect to Cisco ETD API"", ""description"": ""Provide your Cisco ETD API endpoint, Client ID, Client Secret, and API Key. These credentials can be obtained from your Cisco ETD administrator or through the Cisco ETD management console."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Base Endpoint URL"", ""placeholder"": ""https://api.us.etd.cisco.com"", ""type"": ""text"", ""name"": ""baseEndpoint"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client ID"", ""placeholder"": ""Enter OAuth2 Client ID"", ""type"": ""text"", ""name"": ""clientId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client Secret"", ""placeholder"": ""Enter OAuth2 Client Secret"", ""type"": ""password"", ""name"": ""clientSecret"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""Enter Cisco ETD API Key"", ""type"": ""password"", ""name"": ""apiKey"", ""validations"": {""required"": true}}}, {""parameters"": {""label"": ""Connect"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Cisco ETD API Credentials"", ""description"": ""Cisco ETD API credentials are required. Refer to the [Cisco ETD API Authentication documentation](https://developer.cisco.com/docs/message-search-api/authentication/) for more information.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ETD/Data%20Connectors/CiscoETD_ccp/CiscoETD_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Cisco ETD","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ETD/Data%20Connectors/CiscoETD_ccp/CiscoETD_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ETD/Data%20Connectors/CiscoETD_ccp/CiscoETD_PollerConfig.json","JwtToken;POST;MvExpand;Nested","","","","" "CiscoFirepowerEStreamer","Cisco","[Deprecated] Cisco Firepower eStreamer via Legacy Agent","eStreamer is a Client Server API designed for the Cisco Firepower NGFW Solution. The eStreamer client requests detailed event data on behalf of the SIEM or logging solution in the Common Event Format (CEF).","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 25226 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Install the Firepower eNcore client"", ""description"": ""Install and configure the Firepower eNcore eStreamer client, for more details see full install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html)"", ""innerSteps"": [{""title"": ""2.1 Download the Firepower Connector from github"", ""description"": ""Download the latest version of the Firepower eNcore connector for Microsoft Sentinel [here](https://github.com/CiscoSecurity/fp-05-microsoft-sentinel-connector). If you plan on using python3 use the [python3 eStreamer connector](https://github.com/CiscoSecurity/fp-05-microsoft-sentinel-connector/tree/python3)""}, {""title"": ""2.2 Create a pkcs12 file using the Azure/VM Ip Address"", ""description"": ""Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System->Integration->eStreamer, for more information please see install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049443)""}, {""title"": ""2.3 Test Connectivity between the Azure/VM Client and the FMC"", ""description"": ""Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established, for more details please see the setup [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049430)""}, {""title"": ""2.4 Configure encore to stream data to the agent"", ""description"": ""Configure encore to stream data via TCP to the Microsoft Agent, this should be enabled by default, however, additional ports and streaming protocols can configured depending on your network security posture, it is also possible to save the data to the file system, for more information please see [Configure Encore](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049433)""}]}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Firepower%20EStreamer/Data%20Connectors/CiscoFirepowerEStreamerCollector.json","","AMA","Title mentions Legacy Agent","Cisco","Firepower","{""CommonSecurityLog"": {""vendor"": [""Cisco""], ""product"": [""Firepower""]}}","CommonSecurityLog.Activity == ""File Malware Event"" | CommonSecurityLog.DestinationPort == ""80"" | CommonSecurityLog.DeviceAction != ""Allow"" | CommonSecurityLog.DeviceProduct == ""Firepower"" | CommonSecurityLog.DeviceVendor == ""Cisco""","false","Cisco Firepower EStreamer","true","","true","","","","","","","" "CiscoFirepowerEStreamerAma","Cisco","[Deprecated] Cisco Firepower eStreamer via AMA","eStreamer is a Client Server API designed for the Cisco Firepower NGFW Solution. The eStreamer client requests detailed event data on behalf of the SIEM or logging solution in the Common Event Format (CEF).","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Install the Firepower eNcore client"", ""description"": ""Install and configure the Firepower eNcore eStreamer client, for more details see full install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html)"", ""innerSteps"": [{""title"": ""1. Download the Firepower Connector from github"", ""description"": ""Download the latest version of the Firepower eNcore connector for Microsoft Sentinel [here](https://github.com/CiscoSecurity/fp-05-microsoft-sentinel-connector). If you plan on using python3 use the [python3 eStreamer connector](https://github.com/CiscoSecurity/fp-05-microsoft-sentinel-connector/tree/python3)""}, {""title"": ""2. Create a pkcs12 file using the Azure/VM Ip Address"", ""description"": ""Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System->Integration->eStreamer, for more information please see install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049443)""}, {""title"": ""3. Test Connectivity between the Azure/VM Client and the FMC"", ""description"": ""Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established, for more details please see the setup [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049430)""}, {""title"": ""4. Configure encore to stream data to the agent"", ""description"": ""Configure encore to stream data via TCP to the Microsoft Agent, this should be enabled by default, however, additional ports and streaming protocols can configured depending on your network security posture, it is also possible to save the data to the file system, for more information please see [Configure Encore](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049433)""}]}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Firepower%20EStreamer/Data%20Connectors/template_CiscoFirepowerEStreamerAMA.json","","AMA","Title/ID indicates AMA","Cisco","Firepower","{""CommonSecurityLog"": {""vendor"": [""Cisco""], ""product"": [""Firepower""]}}","CommonSecurityLog.Activity == ""File Malware Event"" | CommonSecurityLog.DestinationPort == ""80"" | CommonSecurityLog.DeviceAction != ""Allow"" | CommonSecurityLog.DeviceProduct =~ ""Firepower"" | CommonSecurityLog.DeviceVendor =~ ""Cisco""","false","Cisco Firepower EStreamer","true","","true","","","","","","","" "CiscoISE","Cisco","[Deprecated] Cisco Identity Services Engine","The Cisco Identity Services Engine (ISE) data connector provides the capability to ingest [Cisco ISE](https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html) events into Microsoft Sentinel. It helps you gain visibility into what is happening in your network, such as who is connected, which applications are installed and running, and much more. Refer to [Cisco ISE logging mechanism documentation](https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_maintain_monitor.html#reference_BAFBA5FA046A45938810A5DF04C00591) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ciscoise-parser) to create the Kusto Functions alias, **CiscoISEEvent**"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure Cisco ISE Remote Syslog Collection Locations"", ""description"": ""[Follow these instructions](https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_maintain_monitor.html#ID58) to configure remote syslog collection locations in your Cisco ISE deployment.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ISE/Data%20Connectors/Connector_Cisco_ISE.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName has_any ""CISE,CSCO""","true","Cisco ISE","true","","true","","","","","","","" "CiscoMeraki","Cisco","[Deprecated] Cisco Meraki","The [Cisco Meraki](https://meraki.cisco.com/) connector allows you to easily connect your Cisco Meraki (MX/MR/MS) logs with Microsoft Sentinel. This gives you more insight into your organization's network and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias CiscoMeraki and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt). The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Follow the configuration steps below to get Cisco Meraki device logs into Microsoft Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n For Cisco Meraki logs, we have issues while parsing the data by OMS agent data using default settings. \nSo we advice to capture the logs into custom table **meraki_CL** using below instructions. \n1. Login to the server where you have installed OMS agent.\n2. Download config file [meraki.conf](https://aka.ms/sentinel-ciscomerakioms-conf) \n\t\twget -v https://aka.ms/sentinel-ciscomerakioms-conf -O meraki.conf \n3. Copy meraki.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder. \n\t\tcp meraki.conf /etc/opt/microsoft/omsagent/<>/conf/omsagent.d/\n4. Edit meraki.conf as follows:\n\n\t a. meraki.conf uses the port **22033** by default. Ensure this port is not being used by any other source on your server\n\n\t b. If you would like to change the default port for **meraki.conf** make sure that you dont use default Azure monitoring /log analytic agent ports I.e.(For example CEF uses TCP port **25226** or **25224**) \n\n\t c. replace **workspace_id** with real value of your Workspace ID (lines 14,15,16,19)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart\n6. Modify /etc/rsyslog.conf file - add below template preferably at the beginning / before directives section \n\t\t$template meraki,\""%timestamp% %hostname% %msg%\\n\"" \n7. Create a custom conf file in /etc/rsyslog.d/ for example 10-meraki.conf and add following filter conditions.\n\n\t With an added statement you will need to create a filter which will specify the logs coming from the Cisco Meraki to be forwarded to the custom table.\n\n\t reference: [Filter Conditions \u2014 rsyslog 8.18.0.master documentation](https://rsyslog.readthedocs.io/en/latest/configuration/filters.html)\n\n\t Here is an example of filtering that can be defined, this is not complete and will require additional testing for each installation.\n\t\t if $rawmsg contains \""flows\"" then @@127.0.0.1:22033;meraki\n\t\t & stop\n\t\t if $rawmsg contains \""firewall\"" then @@127.0.0.1:22033;meraki\n\t\t & stop\n\t\t if $rawmsg contains \""urls\"" then @@127.0.0.1:22033;meraki\n\t\t & stop\n\t\t if $rawmsg contains \""ids-alerts\"" then @@127.0.0.1:22033;meraki\n\t\t & stop\n\t\t if $rawmsg contains \""events\"" then @@127.0.0.1:22033;meraki\n\t\t & stop\n\t\t if $rawmsg contains \""ip_flow_start\"" then @@127.0.0.1:22033;meraki\n\t\t & stop\n\t\t if $rawmsg contains \""ip_flow_end\"" then @@127.0.0.1:22033;meraki\n\t\t & stop \n8. Restart rsyslog\n\t\t systemctl restart rsyslog"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}, {""title"": ""3. Configure and connect the Cisco Meraki device(s)"", ""description"": ""[Follow these instructions](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP_and_API) to configure the Cisco Meraki device(s) to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""Cisco Meraki"", ""description"": ""must be configured to export logs via Syslog""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Data%20Connectors/Connector_Syslog_CiscoMeraki.json","","AMA","References omsagent","","","","_Computed.Action == ""block"" | _Computed.EventOriginalType == ""IDS Alert"" | _Computed.LogType in ""bridge_anyconnect_client_vpn_firewall,cellular_firewall,firewall,flows,vpn_firewall"" | _Computed.LogType !contains ""firewall"" | _Computed.LogType !contains ""flows"" | _Computed.LogType !in ""urls,airmarshal_events,security_event,ids-alerts,events"" | _Computed.LogType has ""airmarshal_events"" | _Computed.LogType has ""events"" | _Computed.LogType has ""flows"" | _Computed.LogType has ""ids-alerts"" | _Computed.LogType has ""security_event"" | _Computed.LogType has ""urls"" | _Computed.LogType has_any ""flows"" | _Computed.NetworkProtocol has ""tcp"" | _Computed.NetworkProtocol has ""udp"" | _Computed.Priority in ""1,2,3,4""","true","CiscoMeraki","true","","true","","","","","","","" -"CiscoMerakiMultiRule","Microsoft","Cisco Meraki (using REST API)","The [Cisco Meraki](https://aka.ms/ciscomeraki) connector allows you to easily connect your Cisco Meraki organization events (Security events, Configuration Changes and API Requests) to Microsoft Sentinel. The data connector uses the [Cisco Meraki REST API](https://developer.cisco.com/meraki/api-v1/#!get-organization-appliance-security-events) to fetch logs and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received data and ingests into ASIM and custom tables in your Log Analytics workspace. This data connector benefits from capabilities such as DCR based ingestion-time filtering, data normalization.

**Supported ASIM schema:**
1. Network Session
2. Web Session
3. Audit Event","[{""description"": ""Currently, this connector allows to ingest events from the following [Cisco Meraki REST API](https://developer.cisco.com/meraki/api-v1/#!get-organization-appliance-security-events) endpoint: \n 1. [Get Organization Appliance Security Events](https://developer.cisco.com/meraki/api-latest/#!get-organization-appliance-security-events) \n>This connector parses **IDS Alert** events into ASimNetworkSessionLogs Table and **File Scanned** events into ASimWebSessionLogs Table. \n 2. [Get Organization Api Requests](https://developer.cisco.com/meraki/api-latest/#!get-organization-api-requests) \n>This connector parses events into ASimWebSessionLogs Table. \n 3. [Get Organization Configuration Changes](https://developer.cisco.com/meraki/api-latest/#!get-organization-configuration-changes) \n>This connector parses events into ASimAuditEventLogs Table."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Organization Id"", ""placeholder"": ""OrganizationId"", ""type"": ""text"", ""name"": ""organization""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""ApiKey"", ""type"": ""password"", ""name"": ""apiKey""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}], ""title"": ""Connect Cisco Meraki events to Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Cisco Meraki REST API Key"", ""description"": ""Enable API access in Cisco Meraki and generate API Key. Please refer to Cisco Meraki official [documentation](https://aka.ms/ciscomerakiapikey) for more information.""}, {""name"": ""Cisco Meraki Organization Id"", ""description"": ""Obtain your Cisco Meraki organization id to fetch security events. Follow the steps in the [documentation](https://aka.ms/ciscomerakifindorg) to obtain the Organization Id using the Meraki API Key obtained in previous step.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Meraki%20Events%20via%20REST%20API/Data%20Connectors/CiscoMerakiMultiRule_ccp/dataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","Cisco","Meraki","{""ASimWebSessionLogs"": {""vendor"": [""Cisco""], ""product"": [""Meraki""]}, ""ASimAuditEventLogs"": {""vendor"": [""Cisco""], ""product"": [""Meraki""]}}","ASimAuditEventLogs.EventProduct == ""Meraki"" | ASimAuditEventLogs.EventVendor == ""Cisco""","false","Cisco Meraki Events via REST API","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Meraki%20Events%20via%20REST%20API/Data%20Connectors/CiscoMerakiMultiRule_ccp/dcr.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Meraki%20Events%20via%20REST%20API/Data%20Connectors/CiscoMerakiMultiRule_ccp/dataConnectorPoller.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-meraki-using-rest-api" -"CiscoMerakiNativePoller","Microsoft","Cisco Meraki (using REST API)","The [Cisco Meraki](https://aka.ms/ciscomeraki) connector allows you to easily connect your Cisco Meraki MX [security events](https://aka.ms/ciscomerakisecurityevents) to Microsoft Sentinel. The data connector uses [Cisco Meraki REST API](https://developer.cisco.com/meraki/api-v1/#!get-organization-appliance-security-events) to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.

**Supported ASIM schema:**
1. Network Session","[{""title"": ""Connect Cisco Meraki Security Events to Microsoft Sentinel"", ""description"": ""To enable Cisco Meraki Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>This data connector depends on a parser based on a Kusto Function to render the content. [**CiscoMeraki**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt) Parser currently support only \""**IDS Alert**\"" and \""**File Scanned**\"" Events."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""Organization Id"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{organization}}""}], ""transformation"": {""transformationType"": ""predefinedTransformation"", ""outputStream"": ""[concat('Custom-', variables('streamName'))]"", ""dataCollectionRuleTemplateSpecName"": ""[variables('dataCollectionRuleId')]"", ""logAnalyticsTableTemplateSpecName"": ""[variables('logAnalyticsTableId')]""}}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Cisco Meraki REST API Key"", ""description"": ""Enable API access in Cisco Meraki and generate API Key. Please refer to Cisco Meraki official [documentation](https://aka.ms/ciscomerakiapikey) for more information.""}, {""name"": ""Cisco Meraki Organization Id"", ""description"": ""Obtain your Cisco Meraki organization id to fetch security events. Follow the steps in the [documentation](https://aka.ms/ciscomerakifindorg) to obtain the Organization Id using the Meraki API Key obtained in previous step.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Data%20Connectors/CiscoMerakiNativePollerConnector/azuredeploy_Cisco_Meraki_native_poller_connector.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","_Computed.Action == ""block"" | _Computed.EventOriginalType == ""IDS Alert"" | _Computed.LogType in ""bridge_anyconnect_client_vpn_firewall,cellular_firewall,firewall,flows,vpn_firewall"" | _Computed.LogType !contains ""firewall"" | _Computed.LogType !contains ""flows"" | _Computed.LogType !in ""urls,airmarshal_events,security_event,ids-alerts,events"" | _Computed.LogType has ""airmarshal_events"" | _Computed.LogType has ""events"" | _Computed.LogType has ""flows"" | _Computed.LogType has ""ids-alerts"" | _Computed.LogType has ""security_event"" | _Computed.LogType has ""urls"" | _Computed.LogType has_any ""flows"" | _Computed.NetworkProtocol has ""tcp"" | _Computed.NetworkProtocol has ""udp"" | _Computed.Priority in ""1,2,3,4""","true","CiscoMeraki","false","","true","","","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-meraki-using-rest-api" +"CiscoMerakiMultiRule","Microsoft","Cisco Meraki (using REST API)","The [Cisco Meraki](https://aka.ms/ciscomeraki) connector allows you to easily connect your Cisco Meraki organization events (Security events, Configuration Changes and API Requests) to Microsoft Sentinel. The data connector uses the [Cisco Meraki REST API](https://developer.cisco.com/meraki/api-v1/#!get-organization-appliance-security-events) to fetch logs and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received data and ingests into ASIM and custom tables in your Log Analytics workspace. This data connector benefits from capabilities such as DCR based ingestion-time filtering, data normalization.

**Supported ASIM schema:**
1. Network Session
2. Web Session
3. Audit Event","[{""description"": ""Currently, this connector allows to ingest events from the following [Cisco Meraki REST API](https://developer.cisco.com/meraki/api-v1/#!get-organization-appliance-security-events) endpoint: \n 1. [Get Organization Appliance Security Events](https://developer.cisco.com/meraki/api-latest/#!get-organization-appliance-security-events) \n>This connector parses **IDS Alert** events into ASimNetworkSessionLogs Table and **File Scanned** events into ASimWebSessionLogs Table. \n 2. [Get Organization Api Requests](https://developer.cisco.com/meraki/api-latest/#!get-organization-api-requests) \n>This connector parses events into ASimWebSessionLogs Table. \n 3. [Get Organization Configuration Changes](https://developer.cisco.com/meraki/api-latest/#!get-organization-configuration-changes) \n>This connector parses events into ASimAuditEventLogs Table."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Organization Id"", ""placeholder"": ""OrganizationId"", ""type"": ""text"", ""name"": ""organization""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""ApiKey"", ""type"": ""password"", ""name"": ""apiKey""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}], ""title"": ""Connect Cisco Meraki events to Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Cisco Meraki REST API Key"", ""description"": ""Enable API access in Cisco Meraki and generate API Key. Please refer to Cisco Meraki official [documentation](https://aka.ms/ciscomerakiapikey) for more information.""}, {""name"": ""Cisco Meraki Organization Id"", ""description"": ""Obtain your Cisco Meraki organization id to fetch security events. Follow the steps in the [documentation](https://aka.ms/ciscomerakifindorg) to obtain the Organization Id using the Meraki API Key obtained in previous step.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Meraki%20Events%20via%20REST%20API/Data%20Connectors/CiscoMerakiMultiRule_ccp/dataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","Cisco","Meraki","{""ASimWebSessionLogs"": {""vendor"": [""Cisco""], ""product"": [""Meraki""]}, ""ASimAuditEventLogs"": {""vendor"": [""Cisco""], ""product"": [""Meraki""]}}","ASimNetworkSessionLogs.EventProduct == ""Meraki"" | ASimNetworkSessionLogs.EventVendor == ""Cisco""","false","Cisco Meraki Events via REST API","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Meraki%20Events%20via%20REST%20API/Data%20Connectors/CiscoMerakiMultiRule_ccp/dcr.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Meraki%20Events%20via%20REST%20API/Data%20Connectors/CiscoMerakiMultiRule_ccp/dataConnectorPoller.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-meraki-using-rest-api" +"CiscoMerakiNativePoller","Microsoft","Cisco Meraki (using REST API)","The [Cisco Meraki](https://aka.ms/ciscomeraki) connector allows you to easily connect your Cisco Meraki MX [security events](https://aka.ms/ciscomerakisecurityevents) to Microsoft Sentinel. The data connector uses [Cisco Meraki REST API](https://developer.cisco.com/meraki/api-v1/#!get-organization-appliance-security-events) to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.

**Supported ASIM schema:**
1. Network Session","[{""title"": ""Connect Cisco Meraki Security Events to Microsoft Sentinel"", ""description"": ""To enable Cisco Meraki Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>This data connector depends on a parser based on a Kusto Function to render the content. [**CiscoMeraki**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CiscoMeraki/Parsers/CiscoMeraki.txt) Parser currently support only \""**IDS Alert**\"" and \""**File Scanned**\"" Events."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""Organization Id"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{organization}}""}], ""transformation"": {""transformationType"": ""predefinedTransformation"", ""outputStream"": ""[concat('Custom-', variables('streamName'))]"", ""dataCollectionRuleTemplateSpecName"": ""[variables('dataCollectionRuleId')]"", ""logAnalyticsTableTemplateSpecName"": ""[variables('logAnalyticsTableId')]""}}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Cisco Meraki REST API Key"", ""description"": ""Enable API access in Cisco Meraki and generate API Key. Please refer to Cisco Meraki official [documentation](https://aka.ms/ciscomerakiapikey) for more information.""}, {""name"": ""Cisco Meraki Organization Id"", ""description"": ""Obtain your Cisco Meraki organization id to fetch security events. Follow the steps in the [documentation](https://aka.ms/ciscomerakifindorg) to obtain the Organization Id using the Meraki API Key obtained in previous step.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoMeraki/Data%20Connectors/CiscoMerakiNativePollerConnector/azuredeploy_Cisco_Meraki_native_poller_connector.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","_Computed.Action == ""block"" | _Computed.EventOriginalType == ""IDS Alert"" | _Computed.LogType in ""bridge_anyconnect_client_vpn_firewall,cellular_firewall,firewall,flows,vpn_firewall"" | _Computed.LogType !contains ""firewall"" | _Computed.LogType !contains ""flows"" | _Computed.LogType !in ""urls,airmarshal_events,security_event,ids-alerts,events"" | _Computed.LogType has ""airmarshal_events"" | _Computed.LogType has ""events"" | _Computed.LogType has ""flows"" | _Computed.LogType has ""ids-alerts"" | _Computed.LogType has ""security_event"" | _Computed.LogType has ""urls"" | _Computed.LogType has_any ""flows"" | _Computed.NetworkProtocol has ""tcp"" | _Computed.NetworkProtocol has ""udp"" | _Computed.Priority in ""1,2,3,4""","false","CiscoMeraki","false","","true","","","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-meraki-using-rest-api" "CiscoSDWAN","Cisco","Cisco Software Defined WAN","The Cisco Software Defined WAN(SD-WAN) data connector provides the capability to ingest [Cisco SD-WAN](https://www.cisco.com/c/en_in/solutions/enterprise-networks/sd-wan/index.html) Syslog and Netflow data into Microsoft Sentinel.","[{""description"": ""**To ingest Cisco SD-WAN Syslog and Netflow data into Microsoft Sentinel follow the steps below.**""}, {""title"": ""1. Steps to ingest Syslog data to Microsoft sentinel"", ""description"": ""Azure Monitor Agent will be used to collect the syslog data into Microsoft sentinel. For that first need to create an azure arc server for the VM from which syslog data will be sent.\n""}, {""title"": ""1.1 Steps to Add Azure Arc Server"", ""description"": ""1. In Azure portal, go to Servers - Azure Arc and click on Add.\n2. Select Generate Script under Add a single server section. A User can also generate scripts for Multiple Servers as well.\n3. Review the information on the Prerequisites page, then select Next.\n4. On the Resource details page, provide the subscription and resource group of the Microsoft Sentinel, Region, Operating system and Connectivity method. Then select Next.\n5. On the Tags page, review the default Physical location tags suggested and enter a value, or specify one or more Custom tags to support your standards. Then select Next\n6. Select Download to save the script file. \n7. Now that you have generated the script, the next step is to run it on the server that you want to onboard to Azure Arc. \n8. If you have Azure VM follow the steps mentioned in the [link](https://learn.microsoft.com/azure/azure-arc/servers/plan-evaluate-on-azure-virtual-machine) before running the script. \n9. Run the script by the following command: `./.sh`\n10. After you install the agent and configure it to connect to Azure Arc-enabled servers, go to the Azure portal to verify that the server has successfully connected. View your machine in the Azure portal.\n> **Reference link:** [https://learn.microsoft.com/azure/azure-arc/servers/learn/quick-enable-hybrid-vm](https://learn.microsoft.com/azure/azure-arc/servers/learn/quick-enable-hybrid-vm)""}, {""title"": ""1.2 Steps to Create Data Collection Rule (DCR)"", ""description"": ""1. In Azure Portal search for Monitor. Under Settings, select Data Collection Rules and Select Create.\n2. On the Basics panel, enter the Rule Name, Subscription, Resource group, Region and Platform Type.\n3. Select Next: Resources.\n4. Select Add resources.Use the filters to find the virtual machine that you'll use to collect logs.\n5. Select the virtual machine. Select Apply.\n6. Select Next: Collect and deliver.\n7. Select Add data source. For Data source type, select Linux syslog. \n8. For Minimum log level, leave the default values LOG_DEBUG.\n9. Select Next: Destination.\n10. Select Add destination and add Destination type, Subscription and Account or namespace.\n11. Select Add data source. Select Next: Review + create.\n12. Select Create. Wait for 20 minutes. In Microsoft Sentinel or Azure Monitor, verify that the Azure Monitor agent is running on your VM.\n> **Reference link:** [https://learn.microsoft.com/azure/sentinel/forward-syslog-monitor-agent](https://learn.microsoft.com/azure/sentinel/forward-syslog-monitor-agent)""}, {""title"": ""2. Steps to ingest Netflow data to Microsoft sentinel"", ""description"": ""To Ingest Netflow data into Microsoft sentinel, Filebeat and Logstash needs to be installed and configured on the VM. After the configuration, vm will be able to receive netflow data on the configured port and that data will be ingested into the workspace of Microsoft sentinel.\n""}, {""title"": ""2.1 Install filebeat and logstash"", ""description"": ""1. For the installation of filebeat and logstash using apt refer to this doc: \n 1. Filebeat: [https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html). \n 2. Logstash: [https://www.elastic.co/guide/en/logstash/current/installing-logstash.html](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html). \n2. For the installation of filebeat and logstash for RedHat based Linux (yum) steps are as follows: \n 1. Filebeat: [https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html#_yum](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html#_yum). \n 2. Logstash: [https://www.elastic.co/guide/en/logstash/current/installing-logstash.html#_yum](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html#_yum)""}, {""title"": ""2.2 Configure Filebeat to send events to Logstash"", ""description"": ""1. Edit filebeat.yml file: `vi /etc/filebeat/filebeat.yml` \n2. Comment out the Elasticsearch Output section. \n3. Uncomment Logstash Output section (Uncomment out only these two lines)-\n\t\toutput.logstash\n\t\thosts: [\""localhost:5044\""] \n3. In the Logstash Output section, if you want to send the data other than the default port i.e. 5044 port, then replace the port number in the hosts field. (Note: This port should be added in the conf file, while configuring logstash.) \n4. In the 'filebeat.inputs' section comment out existing configuration and add the following configuration: \n\t\t- type: netflow\n\t\t max_message_size: 10KiB\n\t\t host: \""0.0.0.0:2055\""\n\t\t protocols: [ v5, v9, ipfix ]\n\t\t expiration_timeout: 30m\n\t\t queue_size: 8192\n\t\t custom_definitions:\n\t\t - /etc/filebeat/custom.yml\n\t\t detect_sequence_reset: true\n\t\t enabled: true \n6. In the Filebeat inputs section, if you want to receive the data other than the default port i.e. 2055 port, then replace the port number in the host field. \n7. Add the provided [custom.yml](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Cisco%20SD-WAN/Data%20Connectors/custom.yml) file inside the /etc/filebeat/ directory. \n8. Open the filebeat input and output port in the firewall. \n 1. Run command: `firewall-cmd --zone=public --permanent --add-port=2055/udp` \n 2. Run command: `firewall-cmd --zone=public --permanent --add-port=5044/udp` \n> Note: if a custom port is added for filebeat input/output, then open that port in the firewall.""}, {""title"": ""2.3 Configure Logstash to send events to Microsoft Sentinel"", ""description"": ""1. Install the Azure Log Analytics plugin: \n 1. Run Command: `sudo /usr/share/logstash/bin/logstash-plugin install microsoft-logstash-output-azure-loganalytics` \n3. Store the Log Analytics workspace key in the Logstash key store. The workspace key can be found in Azure Portal under Log analytic workspace > Select workspace > Under Settings select Agent > Log Analytics agent instructions. \n4. Copy the Primary key and run the following commands: \n 1. `sudo /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create LogAnalyticsKey` \n 2. `sudo /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add LogAnalyticsKey` \n5. Create the configuration file /etc/logstash/cisco-netflow-to-sentinel.conf: \n\t\tinput {\n\t\t beats {\n\t\t port => #(Enter output port number which has been configured during filebeat configuration i.e. filebeat.yml file .)\n\t\t }\n\t\t}\n\t\toutput {\n\t\t microsoft-logstash-output-azure-loganalytics {\n\t\t workspace_id => \""\""\n\t\t workspace_key => \""${LogAnalyticsKey}\""\n\t\t custom_log_table_name => \""CiscoSDWANNetflow\""\n\t\t }\n\t\t} \n> Note: If table is not present in Microsoft sentinel, then it will create a new table in sentinel.""}, {""title"": ""2.4 Run Filebeat:"", ""description"": ""1. Open a terminal and run the command: \n> `systemctl start filebeat` \n2. This command will start running filebeat in the background. To see the logs stop the filebeat (`systemctl stop filebeat`) then run the following command: \n> `filebeat run -e`""}, {""title"": ""2.5 Run Logstash:"", ""description"": ""1. In another terminal run the command: \n> `/usr/share/logstash/bin/logstash --path.settings /etc/logstash -f /etc/logstash/cisco-netflow-to-sentinel.conf &` \n2. This command will start running the logstash in the background. To see the logs of logstash kill the above process and run the following command : \n> `/usr/share/logstash/bin/logstash --path.settings /etc/logstash -f /etc/logstash/cisco-netflow-to-sentinel.conf`""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20SD-WAN/Data%20Connectors/CiscoSDWAN.json","","AMA","Table resource_types includes 'virtualmachines'","","","","","false","Cisco SD-WAN","false","","true","","","","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-software-defined-wan" "CiscoSEG","Cisco","[Deprecated] Cisco Secure Email Gateway via Legacy Agent","The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway"", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Data%20Connectors/Connector_Cisco_SEG_CEF.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceEventClassID =~ ""ESA_CONSOLIDATED_LOG_EVENT""","true","CiscoSEG","true","","true","","","","","","","" "CiscoSEGAma","Cisco","[Deprecated] Cisco Secure Email Gateway via AMA","The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""2Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoSEG/Data%20Connectors/template_CiscoSEGAMA.json","","AMA","Title/ID indicates AMA","Cisco","ESA_CONSOLIDATED_LOG_EVENT","{""CommonSecurityLog"": {""vendor"": [""Cisco""], ""product"": [""ESA_CONSOLIDATED_LOG_EVENT""]}}","CommonSecurityLog.DeviceEventClassID =~ ""ESA_CONSOLIDATED_LOG_EVENT"" | CommonSecurityLog.DeviceProduct =~ ""ESA_CONSOLIDATED_LOG_EVENT"" | CommonSecurityLog.DeviceVendor =~ ""Cisco""","true","CiscoSEG","true","","true","","","","","","","" @@ -117,7 +119,7 @@ "CiscoUmbrellaDataConnector","Cisco","Cisco Cloud Security","The Cisco Cloud Security solution for Microsoft Sentinel enables you to ingest [Cisco Secure Access](https://docs.sse.cisco.com/sse-user-guide/docs/welcome-cisco-secure-access) and [Cisco Umbrella](https://docs.umbrella.com/umbrella-user-guide/docs/getting-started) [logs](https://docs.sse.cisco.com/sse-user-guide/docs/manage-your-logs) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Refer to [Cisco Cloud Security log management documentation](https://docs.umbrella.com/deployment-umbrella/docs/log-management) for more information.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Amazon S3 REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**NOTE:** This connector has been updated to support [Cisco Cloud Security log schema version 14.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning)""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App.""}, {""title"": """", ""description"": "">**NOTE:** This connector uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoUmbrella/Cisco_Umbrella) to create the Kusto function alias **Cisco_Umbrella**.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration of the Cisco Cloud Security logs collection**\n\n[See documentation](https://docs.umbrella.com/deployment-umbrella/docs/log-management#section-logging-to-amazon-s-3) and follow the instructions for set up logging and obtain credentials.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Functions**\n\n>**IMPORTANT:** Before deploying the Cisco Cloud Security data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Amazon S3 REST API Authorization credentials, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Cisco Cloud Security data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelciscoumbrellaazuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinelciscoumbrellaazuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **S3Bucket**, **AWSAccessKeyId**, **AWSSecretAccessKey**\n**Note:** For the S3Bucket use the value that Cisco referrs to as the _S3 Bucket Data Path_ and add a / (forward slash) to the end of the value\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Cisco Cloud Security data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tS3Bucket\n\t\tAWSAccessKeyId\n\t\tAWSSecretAccessKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Amazon S3 REST API Credentials/permissions"", ""description"": ""**AWS Access Key Id**, **AWS Secret Access Key**, **AWS S3 Bucket Name** are required for Amazon S3 REST API.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Data%20Connectors/CiscoUmbrella_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","CiscoUmbrella","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-cloud-security-using-azure-functions" "CiscoUmbrellaDataConnectorelasticpremium","Cisco","Cisco Cloud Security (using elastic premium plan)","The Cisco Umbrella data connector provides the capability to ingest [Cisco Umbrella](https://docs.umbrella.com/) events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Refer to [Cisco Umbrella log management documentation](https://docs.umbrella.com/deployment-umbrella/docs/log-management) for more information.

**NOTE:** This data connector uses the [Azure Functions Premium Plan](https://learn.microsoft.com/azure/azure-functions/functions-premium-plan?tabs=portal) to enable secure ingestion capabilities and will incur additional costs. More pricing details are [here](https://azure.microsoft.com/pricing/details/functions/?msockid=2f4366822d836a7c2ac673462cfc6ba8#pricing).","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Amazon S3 REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**NOTE:** This connector has been updated to support [cisco umbrella log schema version 14.](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning)""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App.""}, {""title"": """", ""description"": "">**NOTE:** This connector uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoUmbrella/Cisco_Umbrella) to create the Kusto function alias **Cisco_Umbrella**.""}, {""title"": """", ""description"": ""**STEP 1 - Network Prerequisites for Private Access**\n\n>**IMPORTANT:** When deploying with private storage account access, ensure the following network prerequisites are met:\n> - **Virtual Network**: An existing Virtual Network (VNet) must be available\n> - **Subnet**: A dedicated subnet within the VNet must be delegated to **Microsoft.Web/serverFarms** for Function App VNet integration\n> - **Subnet Delegation**: Configure the subnet delegation using Azure Portal, ARM template, or Azure CLI:\n> - Azure Portal: Go to Virtual networks \u2192 Select your VNet \u2192 Subnets \u2192 Select subnet \u2192 Delegate subnet to service \u2192 Choose **Microsoft.Web/serverFarms**\n> - Azure CLI: `az network vnet subnet update --resource-group --vnet-name --name --delegations Microsoft.Web/serverFarms`\n> - **Private Endpoints**: The deployment will create private endpoints for storage account services (blob, file, queue, table) within the same subnet""}, {""title"": """", ""description"": ""**STEP 2 - Configuration of the Cisco Umbrella logs collection**\n\n[See documentation](https://docs.umbrella.com/deployment-umbrella/docs/log-management#section-logging-to-amazon-s-3) and follow the instructions for set up logging and obtain credentials.""}, {""title"": """", ""description"": ""**STEP 3 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Functions**\n\n>**IMPORTANT:** Before deploying the Cisco Umbrella data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Amazon S3 REST API Authorization credentials, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Cisco Umbrella data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelciscoumbrellaelasticpremiumazuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinelciscoumbrellaelasticpremiumazuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **S3Bucket**, **AWSAccessKeyId**, **AWSSecretAccessKey**\n4. **For Private Access Deployment**: Also enter **existingVnetName**, **existingVnetResourceGroupName**, and **existingSubnetName** (ensure subnet is delegated to Microsoft.Web/serverFarms)\n**Note:** For the S3Bucket use the value that Cisco referrs to as the _S3 Bucket Data Path_ and add a / (forward slash) to the end of the value\n5. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n6. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Cisco Umbrella data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tS3Bucket\n\t\tAWSAccessKeyId\n\t\tAWSSecretAccessKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Amazon S3 REST API Credentials/permissions"", ""description"": ""**AWS Access Key Id**, **AWS Secret Access Key**, **AWS S3 Bucket Name** are required for Amazon S3 REST API.""}, {""name"": ""Virtual Network permissions (for private access)"", ""description"": ""For private storage account access, **Network Contributor** permissions are required on the Virtual Network and subnet. The subnet must be delegated to **Microsoft.Web/serverFarms** for Function App VNet integration.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoUmbrella/Data%20Connectors/CiscoUmbrella_API_FunctionApp_elasticpremium.json","","Azure Function","Filename indicates Azure Function","","","","","false","CiscoUmbrella","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cisco-cloud-security-using-elastic-premium-plan-using-azure-functions" "CiscoWSA","Cisco","[Deprecated] Cisco Web Security Appliance","[Cisco Web Security Appliance (WSA)](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) data connector provides the capability to ingest [Cisco WSA Access Logs](https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_010101.html) into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoWSAEvent**](https://aka.ms/sentinel-CiscoWSA-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Web Security Appliance"", ""instructions"": []}, {""title"": ""1. Configure Cisco Web Security Appliance to forward logs via Syslog to remote server where you will install the agent."", ""description"": ""[Follow these steps](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718) to configure Cisco Web Security Appliance to forward logs via Syslog\n\n>**NOTE:** Select **Syslog Push** as a Retrieval Method.""}, {""title"": ""2. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""3. Check logs in Microsoft Sentinel"", ""description"": ""Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table."", ""instructions"": []}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoWSA/Data%20Connectors/Connector_WSA_Syslog.json","","AMA","Syslog with agent installation (no AMA)","","","","Syslog.ProcessName == ""cisco_wsa""","true","CiscoWSA","true","","true","","","","","","","" -"Citrix","CITRIX","CITRIX SECURITY ANALYTICS","Citrix Analytics (Security) integration with Microsoft Sentinel helps you to export data analyzed for risky events from Citrix Analytics (Security) into Microsoft Sentinel environment. You can create custom dashboards, analyze data from other sources along with that from Citrix Analytics (Security) and create custom workflows using Logic Apps to monitor and mitigate security events.","[{""title"": """", ""description"": ""To get access to this capability and the configuration steps on Citrix Analytics, please visit: [Connect Citrix to Microsoft Sentinel.](https://aka.ms/Sentinel-Citrix-Connector)\u200b\n"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Licensing"", ""description"": ""Entitlements to Citrix Security Analytics in Citrix Cloud. Please review [Citrix Tool License Agreement.](https://aka.ms/sentinel-citrixanalyticslicense-readme)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20for%20Security/Data%20Connectors/CitrixSecurityAnalytics.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Citrix Analytics for Security","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" +"Citrix","CITRIX","CITRIX SECURITY ANALYTICS","Citrix Analytics (Security) integration with Microsoft Sentinel helps you to export data analyzed for risky events from Citrix Analytics (Security) into Microsoft Sentinel environment. You can create custom dashboards, analyze data from other sources along with that from Citrix Analytics (Security) and create custom workflows using Logic Apps to monitor and mitigate security events.","[{""title"": """", ""description"": ""To get access to this capability and the configuration steps on Citrix Analytics, please visit: [Connect Citrix to Microsoft Sentinel.](https://aka.ms/Sentinel-Citrix-Connector)\u200b\n"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Licensing"", ""description"": ""Entitlements to Citrix Security Analytics in Citrix Cloud. Please review [Citrix Tool License Agreement.](https://aka.ms/sentinel-citrixanalyticslicense-readme)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20for%20Security/Data%20Connectors/CitrixSecurityAnalytics.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Citrix Analytics for Security","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "CitrixADC","Citrix","[Deprecated] Citrix ADC (former NetScaler)","The [Citrix ADC (former NetScaler)](https://www.citrix.com/products/citrix-adc/) data connector provides the capability to ingest Citrix ADC logs into Microsoft Sentinel. If you want to ingest Citrix WAF logs into Microsoft Sentinel, refer this [documentation](https://learn.microsoft.com/azure/sentinel/data-connectors/citrix-waf-web-app-firewall)","[{""title"": """", ""description"": "">**NOTE:** 1. This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias CitrixADCEvent and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20ADC/Parsers/CitrixADCEvent.yaml), this function maps Citrix ADC (former NetScaler) events to Advanced Security Information Model [ASIM](https://docs.microsoft.com/azure/sentinel/normalization). The function usually takes 10-15 minutes to activate after solution installation/update. \n\n>**NOTE:** 2. This parser requires a watchlist named **`Sources_by_SourceType`** \n\n> i. If you don't have watchlist already created, please click [here](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdeploy%2FWatchlists%2FASimSourceType.json) to create. \n\n> ii. Open watchlist **`Sources_by_SourceType`** and add entries for this data source.\n\n> iii. The SourceType value for CitrixADC is **`CitrixADC`**. \n\n> You can refer [this](https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers?WT.mc_id=Portal-fx#configure-the-sources-relevant-to-a-source-specific-parser) documentation for more details"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure Citrix ADC to forward logs via Syslog"", ""description"": ""3.1 Navigate to **Configuration tab > System > Auditing > Syslog > Servers tab**\n\n 3.2 Specify **Syslog action name**.\n\n 3.3 Set IP address of remote Syslog server and port.\n\n 3.4 Set **Transport type** as **TCP** or **UDP** depending on your remote Syslog server configuration.\n\n 3.5 You can refer Citrix ADC (former NetScaler) [documentation](https://docs.netscaler.com/) for more details.""}, {""title"": ""4. Check logs in Microsoft Sentinel"", ""description"": ""Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table."", ""instructions"": []}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20ADC/Data%20Connectors/Connector_CitrixADC_syslog.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","","true","Citrix ADC","true","","true","","","","","","","" "CitrixAnalyticsDefinition","Citrix","Citrix Analytics (via Codeless Connector Framework)","Citrix Analytics integration with Microsoft Sentinel helps you to export data analyzed for the events(SPA, Security) from Citrix Analytics into Microsoft Sentinel environment. You can create custom dashboards, analyze data from other sources along with that from Citrix Analytics and create custom workflows using Logic Apps to monitor and mitigate the events.","[{""title"": ""1. Create ARM Resources and Provision Required Permissions"", ""description"": ""Click Deploy to provision the required Azure resources (Log Analytics tables, Data Collection Rule, and Entra app registration) and enable Citrix Analytics to securely push data into Microsoft Sentinel via the Azure Monitor Logs Ingestion API."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \""Deploy\"" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.""}}, {""parameters"": {""label"": ""Deploy Citrix Analytics Connector Resources"", ""applicationDisplayName"": ""Citrix Analytics Connector Application""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Configure your integration in the Citrix Analytics Platform"", ""description"": ""Use the following parameters to configure your integration in the Citrix Analytics Platform."", ""instructions"": [{""parameters"": {""label"": ""Directory ID (Tenant ID)"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Application ID (Client ID)"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy the Push Connector to get the App Registration Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Secret (Credential Secret) (THIS SECRET WILL NOT BE VISIBLE AFTER LEAVING THIS PAGE)"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy the Push Connector to get the App Registration Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint (URL)"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy the Push Connector to get the Data Collection Endpoint""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule Immutable ID (Rule ID)"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy the Push Connector to get the Data Collection Rule ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.""}, {""name"": ""Licensing"", ""description"": ""Entitlements to Citrix Analytics in Citrix Cloud. Please review [Citrix Tool License Agreement.](https://aka.ms/sentinel-citrixanalyticslicense-readme)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20CCF/Data%20Connectors/CitrixAnalytics_CCF/CitrixAnalytics_Definition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Citrix Analytics CCF","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20CCF/Data%20Connectors/CitrixAnalytics_CCF/CitrixAnalytics_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20CCF/Data%20Connectors/CitrixAnalytics_CCF/CitrixAnalytics_dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" "CitrixWAF","Citrix Systems Inc.","[Deprecated] Citrix WAF (Web App Firewall) via Legacy Agent"," Citrix WAF (Web App Firewall) is an industry leading enterprise-grade WAF solution. Citrix WAF mitigates threats against your public-facing assets, including websites, apps, and APIs. From layer 3 to layer 7, Citrix WAF includes protections such as IP reputation, bot mitigation, defense against the OWASP Top 10 application threats, built-in signatures to protect against application stack vulnerabilities, and more.

Citrix WAF supports Common Event Format (CEF) which is an industry standard format on top of Syslog messages . By connecting Citrix WAF CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure Citrix WAF to send Syslog messages in CEF format to the proxy machine using the steps below. \n\n1. Follow [this guide](https://support.citrix.com/article/CTX234174) to configure WAF.\n\n2. Follow [this guide](https://support.citrix.com/article/CTX136146) to configure CEF logs.\n\n3. Follow [this guide](https://docs.citrix.com/en-us/citrix-adc/13/system/audit-logging/configuring-audit-logging.html) to forward the logs to proxy . Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.\n\n""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Web%20App%20Firewall/Data%20Connectors/Citrix_WAF.json","","AMA","Title mentions Legacy Agent","Citrix","NetScaler","{""CommonSecurityLog"": {""vendor"": [""Citrix""], ""product"": [""NetScaler""]}}","CommonSecurityLog.Activity in ""APPFW_SQL,APPFW_STARTURL,APPFW_XSS"" | CommonSecurityLog.DeviceProduct == ""NetScaler"" | CommonSecurityLog.DeviceVendor == ""Citrix""","true","Citrix Web App Firewall","true","","true","","","","","","","" @@ -152,8 +154,8 @@ "ConfluenceAuditAPI","Atlassian","[Deprecated] Atlassian Confluence Audit","The [Atlassian Confluence](https://www.atlassian.com/software/confluence) Audit data connector provides the capability to ingest [Confluence Audit Records](https://support.atlassian.com/confluence-cloud/docs/view-the-audit-log/) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

NOTE: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Confluence REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Confluence API**\n\n [Follow the instructions](https://developer.atlassian.com/cloud/confluence/rest/intro/#auth) to obtain the credentials. \n""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Confluence Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-confluenceaudit-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-confluenceaudit-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **ConfluenceAccessToken**, **ConfluenceUsername**, **ConfluenceHomeSiteName** (short site name part, as example HOMESITENAME from https://community.atlassian.com) and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Confluence Audit data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-confluenceauditapi-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ConflAuditXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tConfluenceUsername\n\t\tConfluenceAccessToken\n\t\tConfluenceHomeSiteName\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**ConfluenceAccessToken**, **ConfluenceUsername** is required for REST API. [See the documentation to learn more about API](https://developer.atlassian.com/cloud/confluence/rest/api-group-audit/). Check all [requirements and follow the instructions](https://developer.atlassian.com/cloud/confluence/rest/intro/#auth) for obtaining credentials.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianConfluenceAudit/Data%20Connectors/AtlassianConfluenceAuditDataConnector/ConfluenceAudit_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","AtlassianConfluenceAudit","true","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#atlassian-confluence-audit-via-codeless-connector-framework" "ContrastADR","Contrast Security","ContrastADR","The ContrastADR data connector provides the capability to ingest Contrast ADR attack events into Microsoft Sentinel using the ContrastADR Webhook. ContrastADR data connector can enrich the incoming webhook data with ContrastADR API enrichment calls.","[{""title"": """", ""description"": ""Use these Workspace id and primakey key as shared key in azure function app"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Azure Resource Manager (ARM) Template"", ""description"": ""Use this method to automate deployment of the ContrastADR Data Connector using ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ContrastADR-azuredeploy)\n2. Provide the following parameters: Region, Function Name, LOG_ANALYTICS_SHARED_KEY, LOG_ANALYTICS_WORKSPACE_ID ""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Data%20Connectors/ContrastADR_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","ContrastADR","false","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "ContrastADRCCF","Contrast Security","Contrast ADR Push Connector","The [Contrast Security](https://www.contrastsecurity.com/) connector provides the capability to ingest attack events and incidents from Contrast Application Detection and Response (ADR) into Microsoft Sentinel. This connector receives data via webhook push mechanism using OAuth authentication.","[{""title"": ""1. Deploy Connector Resources"", ""description"": ""Deploy the required Azure resources for Contrast ADR data ingestion."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Choose Your Deployment Option\n\nSelect one of the following deployment options based on requirements:\n\n---\n\n### Option A: Auto-Create Microsoft Entra Application (Recommended)\n\nClicking **Deploy Contrast ADR CCF Connector** will automatically create:\n- Data Collection Endpoint (DCE)\n- Data Collection Rule (DCR) with streams for attack events and incidents\n- Log Analytics tables (ContrastADRAttackEvents_CL and ContrastADRIncidents_CL)\n- Microsoft Entra Application with OAuth credentials\n- Role assignment (Monitoring Metrics Publisher) on the DCR\n\n**After deployment:** All configuration values (Tenant ID, Client ID, Client Secret, DCE URI, DCR Immutable ID) will be auto-populated below for easy copy-paste into Contrast platform.\n\n---\n\n### Option B: Use Pre-Existing Microsoft Entra Application (BYOA)\n\nClicking **Deploy Contrast ADR CCF Connector** will create:\n- Data Collection Endpoint (DCE)\n- Data Collection Rule (DCR) with streams for attack events and incidents\n- Log Analytics tables (ContrastADRAttackEvents_CL and ContrastADRIncidents_CL)\n- Microsoft Entra Application (you can ignore this)\n\n**When to use:** If you have an existing Entra App that you want to reuse for security or compliance reasons.\n\n**Additional steps required:**\n1. After deployment, manually assign your pre-existing Entra App's Service Principal the **Monitoring Metrics Publisher** role on the created DCR\n2. Use your own Entra App's Client ID and Client Secret (ignore the auto-generated ones below)\n3. Use the DCE URI and DCR Immutable ID from below in your Contrast webhook configuration\n\n---\n\n**Click Deploy to begin:**""}}, {""parameters"": {""label"": ""Deploy Contrast ADR CCF Connector"", ""applicationDisplayName"": ""Contrast ADR Connector Application""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Configure Contrast ADR Webhook"", ""description"": ""Copy the following values to configure the Microsoft Sentinel integration in Contrast ADR platform."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""**For Option A (Auto-Created Entra App):** Use all the auto-populated values below.\n\n**For Option B (Pre-Existing Entra App):** Use the DCE URI, DCR Immutable ID, and Stream Names from below, but use your own Entra App's Tenant ID, Client ID, and Client Secret.\n\n---\n\n#### Azure Configuration Values:\n""}}, {""parameters"": {""label"": ""Tenant ID"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Application (Client) ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy connector to get the Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Client Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy connector to get the Client Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint (DCE) URI"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy connector to get the DCE URI""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule (DCR) Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy connector to get the DCR Immutable ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Attack Events Stream Name"", ""value"": ""Custom-ContrastADRAttackEvents""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Incidents Stream Name"", ""value"": ""Custom-ContrastADRIncidents""}, ""type"": ""CopyableLabel""}, {""type"": ""Markdown"", ""parameters"": {""content"": ""---\n\n#### Configure in Contrast ADR Platform\n\n1. Log in to your **Contrast ADR platform**\n2. Navigate to **Administration > Integrations > Microsoft Sentinel**\n3. Copy and paste all the configuration values from above:\n - Tenant ID\n - Application (Client) ID\n - Client Secret\n - Data Collection Endpoint (DCE) URI\n - Data Collection Rule (DCR) Immutable ID\n - Attack Events Stream Name\n - Incidents Stream Name\n4. Click **Save** to complete the integration\n\nThe Contrast platform will automatically configure the OAuth authentication and data endpoints using these values.""}}]}, {""title"": ""3. Verify Data Ingestion"", ""description"": ""Verify that data is flowing from Contrast ADR to Microsoft Sentinel."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Verification Steps\n\n1. Trigger a test attack event in Contrast ADR\n2. Wait 5-10 minutes for data to appear in Microsoft Sentinel\n3. Run the following query to verify attack events:\n\n```kusto\nContrastADRAttackEvents_CL\n| take 10\n```\n\n4. Verify incidents data:\n\n```kusto\nContrastADRIncidents_CL\n| take 10\n```\n\n5. Check for connectivity:\n\n```kusto\nContrastADRAttackEvents_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(7d)\n```\n\nIf data appears and IsConnected returns true, your connector is configured correctly!""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID (if using auto-created app). Typically requires Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to create and configure Azure resources (DCE, DCR, Tables) and assign RBAC roles. Typically requires Contributor and User Access Administrator roles.""}, {""name"": ""Contrast ADR Webhook Access"", ""description"": ""Access to Contrast ADR platform to configure webhook with OAuth authentication settings.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Data%20Connectors/ContrastADRCCF/connectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","ContrastADR","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Data%20Connectors/ContrastADRCCF/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Data%20Connectors/ContrastADRCCF/dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#contrast-adr-push-connector" -"ContrastProtect","Contrast Security","[Deprecated] Contrast Protect via Legacy Agent","Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Microsoft Sentinel to blend with security information from other systems.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure the Contrast Protect agent to forward events to syslog as described here: https://docs.contrastsecurity.com/en/output-to-syslog.html. Generate some attack events for your application.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect/Data%20Connectors/ContrastProtect.json","","AMA","Title mentions Legacy Agent","Contrast Security","","{""CommonSecurityLog"": {""vendor"": [""Contrast Security""], ""product"": []}}","CommonSecurityLog.DeviceVendor == ""Contrast Security"" | _Computed.Outcome in ""BLOCKED,EXPLOITED,SUSPICIOUS"" | _Computed.Outcome != ""success""","false","Contrast Protect","true","","true","","","","","","","" -"ContrastProtectAma","Contrast Security","[Deprecated] Contrast Protect via AMA","Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Microsoft Sentinel to blend with security information from other systems.","[{""title"": """", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure the Contrast Protect agent to forward events to syslog as described here: https://docs.contrastsecurity.com/en/output-to-syslog.html. Generate some attack events for your application."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect/Data%20Connectors/template_ContrastProtectAMA.json","","AMA","Title/ID indicates AMA","Contrast Security","","{""CommonSecurityLog"": {""vendor"": [""Contrast Security""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""Contrast Security"" | _Computed.Outcome in ""BLOCKED,EXPLOITED,SUSPICIOUS"" | _Computed.Outcome != ""success""","false","Contrast Protect","true","","true","","","","","","","" +"ContrastProtect","Contrast Security","[Deprecated] Contrast Protect via Legacy Agent","Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Microsoft Sentinel to blend with security information from other systems.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure the Contrast Protect agent to forward events to syslog as described here: https://docs.contrastsecurity.com/en/output-to-syslog.html. Generate some attack events for your application.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect/Data%20Connectors/ContrastProtect.json","","AMA","Title mentions Legacy Agent","Contrast Security","","{""CommonSecurityLog"": {""vendor"": [""Contrast Security""], ""product"": []}}","CommonSecurityLog.DeviceVendor == ""Contrast Security"" | _Computed.Outcome in ""BLOCKED,EXPLOITED,SUSPICIOUS"" | _Computed.Outcome != ""success""","false","Contrast Protect","true","","false","","","","","","","" +"ContrastProtectAma","Contrast Security","[Deprecated] Contrast Protect via AMA","Contrast Protect mitigates security threats in production applications with runtime protection and observability. Attack event results (blocked, probed, suspicious...) and other information can be sent to Microsoft Microsoft Sentinel to blend with security information from other systems.","[{""title"": """", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure the Contrast Protect agent to forward events to syslog as described here: https://docs.contrastsecurity.com/en/output-to-syslog.html. Generate some attack events for your application."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect/Data%20Connectors/template_ContrastProtectAMA.json","","AMA","Title/ID indicates AMA","Contrast Security","","{""CommonSecurityLog"": {""vendor"": [""Contrast Security""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""Contrast Security"" | _Computed.Outcome in ""BLOCKED,EXPLOITED,SUSPICIOUS"" | _Computed.Outcome != ""success""","false","Contrast Protect","true","","false","","","","","","","" "CorelightConnectorExporter","Corelight","Corelight Connector Exporter","The [Corelight](https://corelight.com/) data connector enables incident responders and threat hunters who use Microsoft Sentinel to work faster and more effectively. The data connector enables ingestion of events from [Zeek](https://zeek.org/) and [Suricata](https://suricata-ids.org/) via Corelight Sensors into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Corelight**](https://aka.ms/sentinel-Corelight-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""1. Get the files"", ""description"": ""Contact your TAM, SE, or info@corelight.com to get the files needed for the Microsoft Sentinel integration.""}, {""title"": ""2. Replay sample data."", ""description"": ""Replay sample data to create the needed tables in your Log Analytics workspace."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Send sample data (only needed once per Log Analytics workspace)"", ""value"": ""./send_samples.py --workspace-id {0} --workspace-key {1}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""3. Install custom exporter."", ""description"": ""Install the custom exporter or the logstash container.""}, {""title"": ""4. Configure the Corelight Sensor to send logs to the Azure Log Analytics Agent."", ""description"": ""Using the following values, configure your Corelight Sensor to use the Microsoft Sentinel exporter. Alternatively, you can configure the logstash container with these values and configure your sensor to send JSON over TCP to that container on the appropriate port."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Workspace Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Corelight/Data%20Connectors/CorelightConnectorExporter.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Corelight","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#corelight-connector-exporter" "CortexXDRDataConnector","Microsoft","Palo Alto Cortex XDR","The [Palo Alto Cortex XDR](https://cortex-panw.stoplight.io/docs/cortex-xdr/branches/main/09agw06t5dpvw-cortex-xdr-rest-api) data connector allows ingesting logs from the Palo Alto Cortex XDR API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the Palo Alto Cortex XDR API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the Palo Alto Cortex XDR API \n Follow the instructions to obtain the credentials. you can also follow this [guide](https://cortex-panw.stoplight.io/docs/cortex-xdr/branches/main/3u3j0e7hcx8t1-get-started-with-cortex-xdr-ap-is) to generate API key.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. Retrieve API URL\n 1.1. Log in to the Palo Alto Cortex XDR [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**], click [**Settings**] -> [**Configurations**] \n 1.3. Under [**Integrations**] click on [**API Keys**].\n 1.4. In the [**Settings**] Page click on [**Copy API URL**] in the top right corner.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Retrieve API Token\n 2.1. Log in to the Palo Alto Cortex XDR [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**] -> [**Configurations**] \n 2.3. Under [**Integrations**] click on [**API Keys**].\n 2.4. In the [**Settings**] Page click on [**New Key**] in the top right corner.\n 2.5. Choose security level, role, choose Standard and click on [**Generate**]\n 2.6. Copy the API Token, once it generated the [**API Token ID**] can be found under the ID column""}}, {""parameters"": {""label"": ""Base API URL"", ""placeholder"": ""https://api-example.xdr.au.paloaltonetworks.com"", ""type"": ""text"", ""name"": ""apiUrl""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""API Key ID"", ""placeholder"": ""API ID"", ""type"": ""text"", ""name"": ""apiId""}, ""type"": ""Textbox""}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Token"", ""placeholder"": ""API Token"", ""type"": ""password"", ""name"": ""apiToken""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}], ""innerSteps"": null}]","{""tenant"": null, ""licenses"": null, ""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cortex%20XDR/Data%20Connectors/CortexXDR_ccp/DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Cortex XDR","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cortex%20XDR/Data%20Connectors/CortexXDR_ccp/DCR.json;https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Cortex%20XDR%20CCP/Data%20Connectors/CortexXDR_ccp/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cortex%20XDR/Data%20Connectors/CortexXDR_ccp/PollingConfig.json","APIKey;Paging;POST","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#palo-alto-cortex-xdr" "CortexXDRIncidents","DEFEND Ltd.","Cortex XDR - Incidents","Custom Data connector from DEFEND to utilise the Cortex API to ingest incidents from Cortex XDR platform into Microsoft Sentinel.","[{""description"": ""Connect Cortex XDR to Microsoft Sentinel via Cortex API to process Cortex Incidents."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""API Endpoint, excluding the 'api-' portion (example.xdr.au.paloaltonetworks.com)"", ""placeHolderName"": ""{{fqdn}}"", ""requestObjectKey"": ""apiEndpoint""}, {""displayText"": ""API Key Id"", ""placeHolderName"": ""{{apiKeyId}}"", ""pollingKeyPaths"": [""$.request.headers.x-xdr-auth-id""]}]}, ""type"": ""APIKey""}], ""title"": ""Enable Cortex XDR API""}]","{""customs"": [{""description"": ""**Cortex API Token** is required for REST API. [See the documentation to learn more about API](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-api.html). Check all requirements and follow the instructions for obtaining credentials."", ""name"": ""Cortex API credentials""}], ""resourceProvider"": [{""permissionsDisplayText"": ""read and write permissions are required."", ""provider"": ""Microsoft.OperationalInsights/workspaces"", ""providerDisplayName"": ""Workspace"", ""requiredPermissions"": {""delete"": true, ""read"": true, ""write"": true}, ""scope"": ""Workspace""}, {""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""providerDisplayName"": ""Keys"", ""requiredPermissions"": {""action"": true}, ""scope"": ""Workspace""}]}","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cortex%20XDR/Data%20Connectors/CortexXDR_DataConnector.json","","CCF","Has pollingConfig","","","","","false","Cortex XDR","false","","true","","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cortex%20XDR/Data%20Connectors/CortexXDR_ccp/PollingConfig.json","APIKey;Paging;POST","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#cortex-xdr---incidents" @@ -163,7 +165,7 @@ "CrowdStrikeFalconEndpointProtection","CrowdStrike","[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent","The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.

NOTE: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent"", ""description"": ""Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json","","AMA","Title mentions Legacy Agent","CrowdStrike","FalconHost","{""CommonSecurityLog"": {""vendor"": [""CrowdStrike""], ""product"": [""FalconHost""]}}","CommonSecurityLog.DeviceProduct == ""FalconHost"" | CommonSecurityLog.DeviceVendor == ""CrowdStrike"" | _Computed.DeviceCustomDate1Label in ""DNS Request Time,DocAccessTimestamp,Document Accessed Timestamp,ExeWrittenTimestamp,Network Access Timestamp"" | _Computed.DeviceCustomDate2Label in ""HashSpreadingEventTime,HashSpreadingSensorEventTime"" | _Computed.DeviceCustomNumber2Label == ""ProcessId"" | _Computed.DeviceCustomNumber3Label == ""Offset"" | _Computed.DeviceCustomString2Label in ""AccessedDocFileName,QuarantineFileSHA256,ScanResultEngine,WrittenExeFileName"" | _Computed.DeviceCustomString3Label in ""AccessedDocFilePath,QuarantineFilePath,WrittenExeFilePath"" | _Computed.DeviceCustomString4Label == ""ScanResultVersion"" | _Computed.DeviceCustomString5Label == ""CommandLine"" | _Computed.DeviceCustomString6Label == ""FalconHostLink"" | _Computed.LogSeverity in ""1,2,3,4,5""","true","CrowdStrike Falcon Endpoint Protection","true","","false","","","","","","","" "CrowdStrikeFalconEndpointProtectionAma","CrowdStrike","[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA","The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.

NOTE: This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent"", ""description"": ""Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json","","AMA","Title/ID indicates AMA","CrowdStrike","FalconHost","{""CommonSecurityLog"": {""vendor"": [""CrowdStrike""], ""product"": [""FalconHost""]}}","CommonSecurityLog.DeviceProduct =~ ""FalconHost"" | CommonSecurityLog.DeviceVendor =~ ""CrowdStrike"" | _Computed.DeviceCustomDate1Label in ""DNS Request Time,DocAccessTimestamp,Document Accessed Timestamp,ExeWrittenTimestamp,Network Access Timestamp"" | _Computed.DeviceCustomDate2Label in ""HashSpreadingEventTime,HashSpreadingSensorEventTime"" | _Computed.DeviceCustomNumber2Label == ""ProcessId"" | _Computed.DeviceCustomNumber3Label == ""Offset"" | _Computed.DeviceCustomString2Label in ""AccessedDocFileName,QuarantineFileSHA256,ScanResultEngine,WrittenExeFileName"" | _Computed.DeviceCustomString3Label in ""AccessedDocFilePath,QuarantineFilePath,WrittenExeFilePath"" | _Computed.DeviceCustomString4Label == ""ScanResultVersion"" | _Computed.DeviceCustomString5Label == ""CommandLine"" | _Computed.DeviceCustomString6Label == ""FalconHostLink"" | _Computed.LogSeverity in ""1,2,3,4,5""","true","CrowdStrike Falcon Endpoint Protection","true","","false","","","","","","","" "CrowdStrikeFalconS3CCPDefinition","Microsoft","CrowdStrike Falcon Data Replicator (AWS S3) (via Codeless Connector Framework)","The Crowdstrike Falcon Data Replicator (S3) connector provides the capability to ingest FDR event datainto Microsoft Sentinel from the AWS S3 bucket where the FDR logs have been streamed. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

NOTE:

1. CrowdStrike FDR license must be available & enabled.

2. The connector requires an IAM role to be configured on AWS to allow access to the AWS S3 bucket and may not be suitable for environments that leverage CrowdStrike - managed buckets.

3. For environments that leverage CrowdStrike-managed buckets, please configure the CrowdStrike Falcon Data Replicator (CrowdStrike-Managed AWS S3) connector.

","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Requirements: \n In order to use the Falcon Data Replicator feature the following are required: \n 1. **Subscription:** \n 1.1. Falcon Data Replicator. \n 1.2. Falcon Insight XDR. \n 2. **Roles:** \n 2.1. Falcon Administrator.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. Setup your CrowdStrike & AWS environments \n To configure access on AWS, use the following two templates provided to set up the AWS environment. This will enable sending logs from an S3 bucket to your Log Analytics Workspace.\n #### For each template, create Stack in AWS: \n 1. Go to [AWS CloudFormation Stacks](https://aka.ms/awsCloudFormationLink#/stacks/create). \n 2. Choose the \u2018Specify template\u2019 option, then \u2018Upload a template file\u2019 by clicking on \u2018Choose file\u2019 and selecting the appropriate CloudFormation template file provided below. click \u2018Choose file\u2019 and select the downloaded template. \n 3. Click 'Next' and 'Create stack'.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""Make sure that your bucket will be created in the same AWS region as your Falcon CID where the FDR feed is provisioned. \n | CrowdStrike region | AWS region | \n |-----------------|-----------|\n | US-1 | us-west-1 |\n | US-2 | us-west-2 | \n | EU-1 | eu-central-1 ""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Template 1: OpenID connect authentication deployment"", ""isMultiLine"": true, ""fillWith"": [""Oidc""]}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Template 2: AWS CrowdStrike resources deployment"", ""isMultiLine"": true, ""fillWith"": [""CrowdStrike""]}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### Using your own S3 Bucket \n In order to use your own S3 bucket you can refernace the following guide [Use your own S3 bucket](https://falcon.us-2.crowdstrike.com/documentation/page/fa572b1c/falcon-data-replicator#g4f79236) or follow this steps: \n 1. Create support case with the following Name: **Using Self S3 bucket for FDR** \n 2. Add the following information: \n 2.1. The Falcon CID where your FDR feed is provisioned \n 2.2. Indicate which types of events you wish to have provided in this new FDR feed. \n 2.3. Indicate which types of events you wish to have provided in this new FDR feed. \n 2.4. Do not use any partitions. ""}}, {""type"": ""Markdown"", ""parameters"": {""content"": "" | Event type | S3 prefix | \n |-----------------|-----------|\n | Primary Events | data/ |\n | Secondary Events | fdrv2/ ""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Connect new collectors \n To enable AWS S3 for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect.""}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnValue"": ""properties.roleArn"", ""columnName"": ""Role ARN""}, {""columnValue"": ""properties.sqsUrls[0]"", ""columnName"": ""Queue URL""}, {""columnValue"": ""properties.dcrConfig.streamName"", ""columnName"": ""Stream name""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""contextPaneType"": ""DataConnectorsContextPane"", ""title"": ""Add new controller"", ""subtitle"": ""AWS S3 connector"", ""label"": ""Add new collector"", ""instructionSteps"": [{""title"": ""Account details"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Role ARN"", ""type"": ""text"", ""name"": ""roleArn"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Queue URL"", ""type"": ""text"", ""name"": ""queueUrl"", ""validations"": {""required"": true}}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Data type"", ""type"": ""text"", ""name"": ""streamName"", ""required"": true, ""placeholder"": ""Select a data type"", ""options"": [{""key"": ""Custom-CrowdstrikeStream"", ""text"": ""Primary Events""}, {""key"": ""Custom-CrowdStrikeSecondary"", ""text"": ""Secondary Events""}]}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/CrowdStrikeS3FDR_ccp/DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","CrowdStrike Falcon Endpoint Protection","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/CrowdStrikeS3FDR_ccp/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/CrowdStrikeS3FDR_ccp/PollingConfig.json","AmazonWebServicesS3","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#crowdstrike-falcon-data-replicator-aws-s3-via-codeless-connector-framework" -"CrowdstrikeReplicatorv2","Crowdstrike","CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function)","This connector enables the ingestion of FDR data into Microsoft Sentinel using Azure Functions to support the assessment of potential security risks, analysis of collaboration activities, identification of configuration issues, and other operational insights.

NOTE:

1. CrowdStrike FDR license must be available & enabled.

2. The connector uses a Key & Secret based authentication and is suitable for CrowdStrike Managed buckets.

3. For environments that use a fully owned AWS S3 bucket, Microsoft recommends using the CrowdStrike Falcon Data Replicator (AWS S3) connector.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": ""Prerequisites"", ""description"": ""1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.""}, {""title"": ""Deployment Options"", ""description"": ""Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function""}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2).""}, {""title"": """", ""description"": ""**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": """", ""description"": ""**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""SQS and AWS S3 account credentials/permissions"", ""description"": ""**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json","","Azure Function","Description mentions Azure Functions","","","","ASimFileEventLogs_CL.EventProduct == ""Falcon Data Replicator"" | ASimFileEventLogs_CL.EventVendor == ""CrowdStrike""","false","CrowdStrike Falcon Endpoint Protection","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","" +"CrowdstrikeReplicatorv2","Crowdstrike","CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function)","This connector enables the ingestion of FDR data into Microsoft Sentinel using Azure Functions to support the assessment of potential security risks, analysis of collaboration activities, identification of configuration issues, and other operational insights.

NOTE:

1. CrowdStrike FDR license must be available & enabled.

2. The connector uses a Key & Secret based authentication and is suitable for CrowdStrike Managed buckets.

3. For environments that use a fully owned AWS S3 bucket, Microsoft recommends using the CrowdStrike Falcon Data Replicator (AWS S3) connector.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": ""Prerequisites"", ""description"": ""1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.""}, {""title"": ""Deployment Options"", ""description"": ""Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function""}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2).""}, {""title"": """", ""description"": ""**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": """", ""description"": ""**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""SQS and AWS S3 account credentials/permissions"", ""description"": ""**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json","","Azure Function","Description mentions Azure Functions","","","","ASimUserManagementLogs_CL.EventProduct == ""Falcon Data Replicator"" | ASimUserManagementLogs_CL.EventVendor == ""CrowdStrike""","false","CrowdStrike Falcon Endpoint Protection","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","" "CustomlogsviaAMA","Microsoft","Custom logs via AMA","Many applications log information to text or JSON files instead of standard logging services, such as Windows Event logs, Syslog or CEF. The Custom Logs data connector allows you to collect events from files on both Windows and Linux computers and stream them to custom logs tables you created. While streaming the data you can parse and transform the contents using the DCR. After collecting the data, you can apply analytic rules, hunting, searching, threat intelligence, enrichments and more.

**NOTE: Use this connector for the following devices:** Cisco Meraki, Zscaler Private Access (ZPA), VMware vCenter, Apache HTTP server, Apache Tomcat, Jboss Enterprise application platform, Juniper IDP, MarkLogic Audit, MongoDB Audit, Nginx HTTP server, Oracle Weblogic server, PostgreSQL Events, Squid Proxy, Ubiquiti UniFi, SecurityBridge Threat detection SAP and AI vectra stream.","[{""description"": ""> Custom logs are collected from both Windows and Linux agents."", ""instructions"": [{""type"": ""CustomLogsAMA"", ""parameters"": {}}, {""parameters"": {""linkType"": ""OpenCreateDataCollectionRule"", ""dataCollectionRuleType"": 8}, ""type"": ""InstallAgent""}], ""title"": ""Enable data collection rule""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces/datasources"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace data sources"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true}}], ""customs"": [{""name"": ""Permissions"", ""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}]}","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CustomLogsAma/Package/mainTemplate.json","","AMA","Title/ID indicates AMA","","","","","false","CustomLogsAma","false","","true","","","","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#custom-logs-via-ama" "CyberArk","Cyber-Ark","[Deprecated] CyberArk Enterprise Password Vault (EPV) Events via Legacy Agent","CyberArk Enterprise Password Vault generates an xml Syslog message for every action taken against the Vault. The EPV will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/DV-Integrating-with-SIEM-Applications.htm) for more guidance on SIEM integrations.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python installed on your machine.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python installed on your machine using the following command: python -version\n\n>\n\n> 2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArk%20Enterprise%20Password%20Vault%20%28EPV%29%20Events/Data%20Connectors/CyberArk%20Data%20Connector.json","","AMA","Title mentions Legacy Agent","Cyber-Ark","Vault","{""CommonSecurityLog"": {""vendor"": [""Cyber-Ark""], ""product"": [""Vault""]}}","CommonSecurityLog.DeviceProduct == ""Vault"" | CommonSecurityLog.DeviceVendor == ""Cyber-Ark"" | CommonSecurityLog.LogSeverity in ""10,7""","true","CyberArk Privilege Access Manager (PAM) Events","true","","true","","","","","","","" "CyberArkAma","Cyber-Ark","[Deprecated] CyberArk Privilege Access Manager (PAM) Events via AMA","CyberArk Privilege Access Manager generates an xml Syslog message for every action taken against the Vault. The PAM will send the xml messages through the Microsoft Sentinel.xsl translator to be converted into CEF standard format and sent to a syslog staging server of your choice (syslog-ng, rsyslog). The Log Analytics agent installed on your syslog staging server will import the messages into Microsoft Log Analytics. Refer to the [CyberArk documentation](https://docs.cyberark.com/privilege-cloud-standard/Latest/en/Content/Privilege%20Cloud/privCloud-connect-siem.htm) for more guidance on SIEM integrations.","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""On the EPV configure the dbparm.ini to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machines security according to your organizations security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArk%20Enterprise%20Password%20Vault%20%28EPV%29%20Events/Data%20Connectors/template_CyberArkAMA.json","","AMA","Title/ID indicates AMA","Cyber-Ark","Vault","{""CommonSecurityLog"": {""vendor"": [""Cyber-Ark""], ""product"": [""Vault""]}}","CommonSecurityLog.DeviceProduct =~ ""Vault"" | CommonSecurityLog.DeviceVendor =~ ""Cyber-Ark"" | CommonSecurityLog.LogSeverity in ""10,7""","true","CyberArk Privilege Access Manager (PAM) Events","true","","true","","","","","","","" @@ -189,8 +191,8 @@ "DDOS","Microsoft","Azure DDoS Protection","Connect to Azure DDoS Protection Standard logs via Public IP Address Diagnostic Logs. In addition to the core DDoS protection in the platform, Azure DDoS Protection Standard provides advanced DDoS mitigation capabilities against network attacks. It's automatically tuned to protect your specific Azure resources. Protection is simple to enable during the creation of new virtual networks. It can also be done after creation and requires no application or resource changes. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2219760&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).","[{""title"": ""Connect Azure DDoS Protection to Microsoft Sentinel"", ""description"": ""Enable Diagnostic Logs on All Public IP Addresses."", ""instructions"": [{""parameters"": {""linkType"": ""OpenMicrosoftAzureMonitoring""}, ""type"": ""InstallAgent""}]}, {""title"": ""Inside your Diagnostics settings portal, select your Public IP Address resource:"", ""description"": ""Inside your Public IP Address resource:\n \n1. Select **+ Add diagnostic setting.\u200b**\n2. In the **Diagnostic setting** blade:\n - Type a **Name**, within the **Diagnostics settings** name field.\n - Select **Send to Log Analytics**.\n - Choose the log destination workspace.\n - Select the categories that you want to analyze (recommended: DDoSProtectionNotifications, DDoSMitigationFlowLogs, DDoSMitigationReports)\n - Click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""Azure DDoS protection plan"", ""description"": ""A configured Azure DDoS Standard protection plan [read more about Azure DDoS protection plans](https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection#create-a-ddos-protection-plan).""}, {""name"": ""Enabled Azure DDoS for virtual network"", ""description"": ""A configured virtual network with Azure DDoS Standard enabled [read more about configuring virtual network with Azure DDoS](https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection#enable-ddos-for-an-existing-virtual-network).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20DDoS%20Protection/Data%20Connectors/DDOS.JSON","","Azure Diagnostics","References Azure Diagnostics","","","","AzureDiagnostics.Category == ""DDoSMitigationReports"" | AzureDiagnostics.ResourceType == ""PUBLICIPADDRESSES""","false","Azure DDoS Protection","false","","true","","","","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-ddos-protection" "DNS","Microsoft","DNS","The DNS log connector allows you to easily connect your DNS analytic and audit logs with Microsoft Sentinel, and other related data, to improve investigation.

**When you enable DNS log collection you can:**
- Identify clients that try to resolve malicious domain names.
- Identify stale resource records.
- Identify frequently queried domain names and talkative DNS clients.
- View request load on DNS servers.
- View dynamic DNS registration failures.

For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220127&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).","[{""title"": ""1. Download and install the agent"", ""description"": ""> DNS logs are collected only from **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on non-Azure Windows Machine"", ""description"": ""Select the machine to install the agent and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Install DNS solution"", ""instructions"": [{""parameters"": {""solutionName"": ""DnsAnalytics""}, ""type"": ""OmsSolutions""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/solutions"", ""permissionsDisplayText"": ""[read and write permissions](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#log-analytics-contributor)."", ""providerDisplayName"": ""Solutions"", ""scope"": ""ResourceGroup"", ""requiredPermissions"": {""read"": true, ""write"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Server%20DNS/Data%20Connectors/template_DNS.JSON","","AMA","Uses OmsSolutions (MMA-era technology)","","","","","false","Windows Server DNS","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#dns" "DTRunVulnCCPDefinition","Dynatrace","Dynatrace Runtime Vulnerabilities V2","This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.","[{""title"": ""Dynatrace Vulnerabilities Events to Microsoft Sentinel"", ""description"": ""Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""type"": ""text"", ""label"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""placeholder"": ""{{dynatraceEnvironmentUrl}}"", ""name"": ""dynatraceEnvironmentUrl""}, ""type"": ""Textbox""}, {""parameters"": {""enable"": ""true"", ""type"": ""password"", ""label"": ""Dynatrace Access Token"", ""placeholder"": ""{{dynatraceAccessToken}}"", ""name"": ""dynatraceAccessToken""}, ""type"": ""Textbox""}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""connect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""description"": ""You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/).""}, {""name"": ""Dynatrace Access Token"", ""description"": ""You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Data%20Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_Definition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Dynatrace","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Data%20Connectors/DynatraceRuntimeVulnerabilitiesV2/Connector_Dynatrace_RuntimeVulnerabilities_DCR.json","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#dynatrace-runtime-vulnerabilities-v2" -"Darktrace","Darktrace","[Deprecated] AI Analyst Darktrace via Legacy Agent","The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AI%20Analyst%20Darktrace/Data%20Connectors/AIA-Darktrace.json","","AMA","Title mentions Legacy Agent","Darktrace","","{""CommonSecurityLog"": {""vendor"": [""Darktrace""], ""product"": []}}","CommonSecurityLog.DeviceVendor == ""Darktrace""","false","AI Analyst Darktrace","true","","true","","","","","","","" -"DarktraceAma","Darktrace","[Deprecated] AI Analyst Darktrace via AMA","The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine""}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AI%20Analyst%20Darktrace/Data%20Connectors/template_AIA-DarktraceAMA.json","","AMA","Title/ID indicates AMA","Darktrace","","{""CommonSecurityLog"": {""vendor"": [""Darktrace""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""Darktrace""","false","AI Analyst Darktrace","true","","true","","","","","","","" +"Darktrace","Darktrace","[Deprecated] AI Analyst Darktrace via Legacy Agent","The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AI%20Analyst%20Darktrace/Data%20Connectors/AIA-Darktrace.json","","AMA","Title mentions Legacy Agent","Darktrace","","{""CommonSecurityLog"": {""vendor"": [""Darktrace""], ""product"": []}}","CommonSecurityLog.DeviceVendor == ""Darktrace""","false","AI Analyst Darktrace","true","","false","","","","","","","" +"DarktraceAma","Darktrace","[Deprecated] AI Analyst Darktrace via AMA","The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine""}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AI%20Analyst%20Darktrace/Data%20Connectors/template_AIA-DarktraceAMA.json","","AMA","Title/ID indicates AMA","Darktrace","","{""CommonSecurityLog"": {""vendor"": [""Darktrace""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""Darktrace""","false","AI Analyst Darktrace","true","","false","","","","","","","" "DarktraceRESTConnector","Darktrace","Darktrace Connector for Microsoft Sentinel REST API","The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled ""darktrace_model_alerts_CL""; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters.","[{""title"": """", ""description"": ""1. Detailed setup instructions can be found on the Darktrace Customer Portal: https://customerportal.darktrace.com/product-guides/main/microsoft-sentinel-introduction\n 2. Take note of the Workspace ID and the Primary key. You will need to enter these details on your Darktrace System Configuration page.\n "", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Darktrace Configuration"", ""description"": ""1. Perform the following steps on the Darktrace System Configuration page:\n 2. Navigate to the System Configuration Page (Main Menu > Admin > System Config)\n 3. Go into Modules configuration and click on the \""Microsoft Sentinel\"" configuration card\n 4. Select \""HTTPS (JSON)\"" and hit \""New\""\n 5. Fill in the required details and select appropriate filters\n 6. Click \""Verify Alert Settings\"" to attempt authentication and send out a test alert\n 7. Run a \""Look for Test Alerts\"" sample query to validate that the test alert has been received"", ""instructions"": """"}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Darktrace Prerequisites"", ""description"": ""To use this Data Connector a Darktrace master running v5.2+ is required.\n Data is sent to the [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) over HTTPs from Darktrace masters, therefore outbound connectivity from the Darktrace master to Microsoft Sentinel REST API is required.""}, {""name"": ""Filter Darktrace Data"", ""description"": ""During configuration it is possible to set up additional filtering on the Darktrace System Configuration page to constrain the amount or types of data sent.""}, {""name"": ""Try the Darktrace Sentinel Solution"", ""description"": ""You can get the most out of this connector by installing the Darktrace Solution for Microsoft Sentinel. This will provide workbooks to visualise alert data and analytics rules to automatically create alerts and incidents from Darktrace Model Breaches and AI Analyst incidents.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Data%20Connectors/DarktraceConnectorRESTAPI.json","","REST Pull API","Title/description mentions REST API","","","","","false","Darktrace","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#darktrace-connector-for-microsoft-sentinel-rest-api" "DataBahnPush","DataBahn","DataBahn","The [DataBahn](https://databahn.ai/) connector provides the capability to push real-time platform telemetry from your DataBahn environment directly into Microsoft Sentinel using the Codeless Connector Framework (CCF) Push pattern. This connector ingests audit logs, operational alerts, and device inventory into custom Log Analytics tables for analysis, alerting, and visualization.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""This connector enables your DataBahn platform to push audit logs, alerts, and device inventory directly to Microsoft Sentinel via the Azure Monitor Ingestion API."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \""Deploy\"" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.""}}, {""parameters"": {""label"": ""Deploy DataBahn connector resources"", ""applicationDisplayName"": ""DataBahn Connector Application""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Configure Your DataBahn Platform"", ""description"": ""Use the following parameters to configure your DataBahn Highway destination to push data to the workspace."", ""instructions"": [{""parameters"": {""label"": ""Tenant ID (Directory ID)"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the App Registration Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the App Registration Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint Uri"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the Data Collection Endpoint Uri""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the Data Collection Rule Immutable ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Audit Logs Stream Name"", ""value"": ""Custom-databahn_audit_logs""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Alerts Stream Name"", ""value"": ""Custom-databahn_alerts""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Device Inventory Stream Name"", ""value"": ""Custom-databahn_device_inventory""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Databahn/Data%20Connectors/DataBahn_PUSH_CCP/DataBahn_connectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Databahn","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Databahn/Data%20Connectors/DataBahn_PUSH_CCP/DataBahn_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Databahn/Data%20Connectors/DataBahn_PUSH_CCP/DataBahn_dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#databahn" "Datalake2SentinelConnector","Orange Cyberdefense","Datalake2Sentinel","This solution installs the Datalake2Sentinel connector which is built using the Codeless Connector Platform and allows you to automatically ingest threat intelligence indicators from **Datalake Orange Cyberdefense's CTI platform** into Microsoft Sentinel via the Upload Indicators REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.","[{""title"": ""Installation and setup instructions"", ""description"": ""Use the documentation from this Github repository to install and configure the Datalake to Microsoft Sentinel connector. \n\nhttps://github.com/cert-orangecyberdefense/datalake2sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Datalake2Sentinel/Data%20Connectors/Datalake2SentinelConnector.json","","Azure Function (TI Upload API)","Connector code uses Sentinel TI Upload Indicators API (api.ti.sentinel.azure.com) - external repo cert-orangecyberdefense/datalake2sentinel","","","","ThreatIntelligenceIndicator.SourceSystem == ""Datalake - OrangeCyberdefense""","false","Datalake2Sentinel","false","","true","","","","STIX 2.1 Upload Indicators API","External Azure Function code calls https://api.ti.sentinel.azure.com/workspaces/{workspace_id}/threat-intelligence-stix-objects:upload (verified at cert-orangecyberdefense/datalake2sentinel)","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#datalake2sentinel" @@ -200,7 +202,7 @@ "DelineaSecretServer_CEF","Delinea, Inc","[Deprecated] Delinea Secret Server via Legacy Agent","Common Event Format (CEF) from Delinea Secret Server ","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Delinea Secret Server"", ""description"": ""must be configured to export logs via Syslog \n\n [Learn more about configure Secret Server](https://thy.center/ss/link/syslog)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Delinea%20Secret%20Server/Data%20Connectors/DelineaSecretServer_CEF.json","","AMA","Title mentions Legacy Agent","Delinea Software;Thycotic Software","Secret Server","{""CommonSecurityLog"": {""vendor"": [""Delinea Software"", ""Thycotic Software""], ""product"": [""Secret Server""]}}","CommonSecurityLog.Activity has ""SECRET - CREATE"" | CommonSecurityLog.Activity has ""SECRET - VIEW"" | CommonSecurityLog.DeviceProduct == ""Secret Server"" | CommonSecurityLog.DeviceVendor in ""Delinea Software,Thycotic Software""","false","Delinea Secret Server","true","","true","","","","","","","" "DerdackSIGNL4","Derdack","Derdack SIGNL4","When critical systems fail or security incidents happen, SIGNL4 bridges the ‘last mile’ to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time.

[Learn more >](https://www.signl4.com)","[{""title"": """", ""description"": "">**NOTE:** This data connector is mainly configured on the SIGNL4 side. You can find a description video here: [**Integrate SIGNL4 with Microsoft Sentinel**](https://www.signl4.com/blog/portfolio_item/azure-sentinel-mobile-alert-notification-duty-schedule-escalation/)."", ""instructions"": []}, {""title"": """", ""description"": "">**SIGNL4 Connector:** The SIGNL4 connector for Microsoft Sentinel, Azure Security Center and other Azure Graph Security API providers provides seamless 2-way integration with your Azure Security solutions. Once added to your SIGNL4 team, the connector will read security alerts from Azure Graph Security API and fully automatically and trigger alert notifications to your team members on duty. It will also synchronize the alert status from SIGNL4 to Graph Security API, so that if alerts are acknowledged or closed, this status is also updated on the according Azure Graph Security API alert or the corresponding security provider. As mentioned, the connector mainly uses Azure Graph Security API, but for some security providers, such as Microsoft Sentinel, it also uses dedicated REST APIs from according Azure solutions."", ""instructions"": []}, {""title"": ""Microsoft Sentinel Features"", ""description"": ""Microsoft Sentinel is a cloud native SIEM solution from Microsoft and a security alert provider in Azure Graph Security API. However, the level of alert details available with the Graph Security API is limited for Microsoft Sentinel. The connector can therefore augment alerts with further details (insights rule search results), from the underlying Microsoft Sentinel Log Analytics workspace. To be able to do that, the connector communicates with Azure Log Analytics REST API and needs according permissions (see below). Furthermore, the app can also update the status of Microsoft Sentinel incidents, when all related security alerts are e.g. in progress or resolved. In order to be able to do that, the connector needs to be a member of the 'Microsoft Sentinel Contributors' group in your Azure Subscription.\n **Automated deployment in Azure**\n The credentials required to access the beforementioned APIs, are generated by a small PowerShell script that you can download below. The script performs the following tasks for you:\n - Logs you on to your Azure Subscription (please login with an administrator account)\n - Creates a new enterprise application for this connector in your Azure AD, also referred to as service principal\n - Creates a new role in your Azure IAM that grants read/query permission to only Azure Log Analytics workspaces.\n - Joins the enterprise application to that user role\n - Joins the enterprise application to the 'Microsoft Sentinel Contributors' role\n - Outputs some data that you need to configure app (see below)"", ""instructions"": []}, {""title"": ""Deployment procedure"", ""description"": ""1. Download the PowerShell deployment script from [here](https://github.com/signl4/signl4-integration-azuresentinel/blob/master/registerSIGNL4Client.ps1).\n2. Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Microsoft Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Azure Active Directory.\n3. Run the script. At the end it outputs information that you need to enter in the connector app configuration.\n4. In Azure AD, click on 'App Registrations'. Find the app with the name 'SIGNL4AzureSecurity' and open its details\n5. On the left menu blade click 'API Permissions'. Then click 'Add a permission'.\n6. On the blade that loads, under 'Microsoft APIs' click on the 'Microsoft Graph' tile, then click 'App permission'.\n7. In the table that is displayed expand 'SecurityEvents' and check 'SecurityEvents.Read.All' and 'SecurityEvents.ReadWrite.All'.\n8. Click 'Add permissions'."", ""instructions"": []}, {""title"": ""Configuring the SIGNL4 connector app"", ""description"": ""Finally, enter the IDs, that the script has outputted in the connector configuration:\n - Azure Tenant ID\n - Azure Subscription ID\n - Client ID (of the enterprise application)\n - Client Secret (of the enterprise application)\n Once the app is enabled, it will start reading your Azure Graph Security API alerts.\n\n>**NOTE:** It will initially only read the alerts that have occurred within the last 24 hours."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SIGNL4/Data%20Connectors/DerdackSIGNL4.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","SIGNL4","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#derdack-signl4" "DigitalGuardianDLP","Digital Guardian","[Deprecated] Digital Guardian Data Loss Prevention","[Digital Guardian Data Loss Prevention (DLP)](https://digitalguardian.com/platform-overview) data connector provides the capability to ingest Digital Guardian DLP logs into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**DigitalGuardianDLPEvent**](https://aka.ms/sentinel-DigitalGuardianDLP-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""1. Configure Digital Guardian to forward logs via Syslog to remote server where you will install the agent."", ""description"": ""Follow these steps to configure Digital Guardian to forward logs via Syslog:\n\n1.1. Log in to the Digital Guardian Management Console.\n\n1.2. Select **Workspace** > **Data Export** > **Create Export**.\n\n1.3. From the **Data Sources** list, select **Alerts** or **Events** as the data source.\n\n1.4. From the **Export type** list, select **Syslog**.\n\n1.5. From the **Type list**, select **UDP** or **TCP** as the transport protocol.\n\n1.6. In the **Server** field, type the IP address of your Remote Syslog server.\n\n1.7. In the **Port** field, type 514 (or other port if your Syslog server was configured to use non-default port).\n\n1.8. From the **Severity Level** list, select a severity level.\n\n1.9. Select the **Is Active** check box.\n\n1.9. Click **Next**.\n\n1.10. From the list of available fields, add Alert or Event fields for your data export.\n\n1.11. Select a Criteria for the fields in your data export and click **Next**.\n\n1.12. Select a group for the criteria and click **Next**.\n\n1.13. Click **Test Query**.\n\n1.14. Click **Next**.\n\n1.15. Save the data export.""}, {""title"": ""2. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Server to which the logs will be forwarded.\n\n> Logs on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""3. Check logs in Microsoft Sentinel"", ""description"": ""Open Log Analytics to check if the logs are received using the Syslog schema.\n\n>**NOTE:** It may take up to 15 minutes before new logs will appear in Syslog table."", ""instructions"": []}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention/Data%20Connectors/Connector_DigitalGuardian_Syslog.json","","AMA","Syslog with agent installation (no AMA)","","","","Syslog.SyslogMessage contains ""managed_device_id"" | Syslog.SyslogMessage contains ""number_of_incidents""","true","Digital Guardian Data Loss Prevention","true","","true","","","","","","","" -"DigitalShadowsSearchlightAzureFunctions","Digital Shadows","Digital Shadows Searchlight","The Digital Shadows data connector provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. The connector will provide the incidents and alerts information such that it helps to examine, diagnose and analyse the potential security risks and threats.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to a 'Digital Shadows Searchlight' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the 'Digital Shadows Searchlight' API**\n\nThe provider should provide or link to detailed steps to configure the 'Digital Shadows Searchlight' API endpoint so that the Azure Function can authenticate to it successfully, get its authorization key or token, and pull the appliance's logs into Microsoft Sentinel.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 'Digital Shadows Searchlight' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the 'Digital Shadows Searchlight' API authorization key(s) or Token, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the 'Digital Shadows Searchlight' connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Digitalshadows-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, 'and/or Other required fields'. \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": """", ""description"": ""**Option 2 - Manual Deployment of Azure Functions**\n\n Use the following step-by-step instructions to deploy the 'Digital Shadows Searchlight' connector manually with Azure Functions.""}, {""title"": ""1. Create a Function App"", ""description"": ""1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, ensure Runtime stack is set to **python 3.11**. \n4. In the **Hosting** tab, ensure **Plan type** is set to **'Consumption (Serverless)'**.\n5.select Storage account\n6. 'Add other required configurations'. \n5. 'Make other preferable configuration changes', if needed, then click **Create**.""}, {""title"": ""2. Import Function App Code(Zip deployment)"", ""description"": ""1. Install Azure CLI\n2. From terminal type **az functionapp deployment source config-zip -g -n --src ** and hit enter. Set the `ResourceGroup` value to: your resource group name. Set the `FunctionApp` value to: your newly created function app name. Set the `Zip File` value to: `digitalshadowsConnector.zip`(path to your zip file). Note:- Download the zip file from the link - [Function App Code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Shadows/Data%20Connectors/Digital%20Shadows/digitalshadowsConnector.zip)""}, {""title"": ""3. Configure the Function App"", ""description"": ""1. In the Function App screen, click the Function App name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following 'x (number of)' application settings individually, under Name, with their respective string values (case-sensitive) under Value: \n\t\tDigitalShadowsAccountID\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tDigitalShadowsKey\n\t\tDigitalShadowsSecret\n\t\tHistoricalDays\n\t\tDigitalShadowsURL\n\t\tClassificationFilterOperation\n\t\tHighVariabilityClassifications\n\t\tFUNCTION_NAME\n\t\tlogAnalyticsUri (optional)\n(add any other settings required by the Function App)\nSet the `DigitalShadowsURL` value to: `https://api.searchlight.app/v1`\nSet the `HighVariabilityClassifications` value to: `exposed-credential,marked-document`\nSet the `ClassificationFilterOperation` value to: `exclude` for exclude function app or `include` for include function app \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Digital Shadows account ID, secret and key** is required. See the documentation to learn more about API on the `https://portal-digitalshadows.com/learn/searchlight-api/overview/description`.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Shadows/Data%20Connectors/Digital%20Shadows/DigitalShadowsSearchlight_API_functionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Digital Shadows","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#digital-shadows-searchlight-using-azure-functions" +"DigitalShadowsSearchlightAzureFunctions","Digital Shadows","Digital Shadows Searchlight","The Digital Shadows data connector provides ingestion of the incidents and alerts from Digital Shadows Searchlight into the Microsoft Sentinel using the REST API. The connector will provide the incidents and alerts information such that it helps to examine, diagnose and analyse the potential security risks and threats.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to a 'Digital Shadows Searchlight' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the 'Digital Shadows Searchlight' API**\n\nThe provider should provide or link to detailed steps to configure the 'Digital Shadows Searchlight' API endpoint so that the Azure Function can authenticate to it successfully, get its authorization key or token, and pull the appliance's logs into Microsoft Sentinel.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 'Digital Shadows Searchlight' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the 'Digital Shadows Searchlight' API authorization key(s) or Token, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the 'Digital Shadows Searchlight' connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Digitalshadows-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, 'and/or Other required fields'. \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": """", ""description"": ""**Option 2 - Manual Deployment of Azure Functions**\n\n Use the following step-by-step instructions to deploy the 'Digital Shadows Searchlight' connector manually with Azure Functions.""}, {""title"": ""1. Create a Function App"", ""description"": ""1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, ensure Runtime stack is set to **python 3.11**. \n4. In the **Hosting** tab, ensure **Plan type** is set to **'Consumption (Serverless)'**.\n5.select Storage account\n6. 'Add other required configurations'. \n5. 'Make other preferable configuration changes', if needed, then click **Create**.""}, {""title"": ""2. Import Function App Code(Zip deployment)"", ""description"": ""1. Install Azure CLI\n2. From terminal type **az functionapp deployment source config-zip -g -n --src ** and hit enter. Set the `ResourceGroup` value to: your resource group name. Set the `FunctionApp` value to: your newly created function app name. Set the `Zip File` value to: `digitalshadowsConnector.zip`(path to your zip file). Note:- Download the zip file from the link - [Function App Code](https://aka.ms/sentinel-DigitalShadows-functionapp)""}, {""title"": ""3. Configure the Function App"", ""description"": ""1. In the Function App screen, click the Function App name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following 'x (number of)' application settings individually, under Name, with their respective string values (case-sensitive) under Value: \n\t\tDigitalShadowsAccountID\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tDigitalShadowsKey\n\t\tDigitalShadowsSecret\n\t\tHistoricalDays\n\t\tDigitalShadowsURL\n\t\tClassificationFilterOperation\n\t\tHighVariabilityClassifications\n\t\tFUNCTION_NAME\n\t\tlogAnalyticsUri (optional)\n(add any other settings required by the Function App)\nSet the `DigitalShadowsURL` value to: `https://api.searchlight.app/v1`\nSet the `HighVariabilityClassifications` value to: `exposed-credential,marked-document`\nSet the `ClassificationFilterOperation` value to: `exclude` for exclude function app or `include` for include function app \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Digital Shadows account ID, secret and key** is required. See the documentation to learn more about API on the `https://portal-digitalshadows.com/learn/searchlight-api/overview/description`.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Shadows/Data%20Connectors/DigitalShadowsSearchlight_API_functionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Digital Shadows","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#digital-shadows-searchlight-using-azure-functions" "Doppel_DataConnector","Doppel","Doppel Data Connector","The data connector is built on Microsoft Sentinel for Doppel events and alerts and supports DCR-based [ingestion time transformations](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/ingestion-time-transformations) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.","[{""title"": ""Configure Doppel Webhook"", ""description"": ""Configure the Webhook in Doppel and Endpoint with permissions in Microsoft Sentinel to send data."", ""instructions"": [{""type"": ""InstructionStepsGroup"", ""parameters"": {""enable"": true, ""userRequestPlaceHolder"": """", ""instructionSteps"": [{""title"": ""Register the Application in Microsoft Entra ID"", ""description"": ""1. **Open the [Microsoft Entra ID page](https://entra.microsoft.com/)**:\n - Click the provided link to open the **Microsoft Entra ID** registration page in a new tab.\n - Ensure you are logged in with an account that has **Admin level** permissions.\n\n2. **Create a New Application**:\n - In the **Microsoft Entra ID portal**, select **App registrations** mentioned on the left-hand side tab.\n - Click on **+ New registration**.\n - Fill out the following fields:\n - **Name**: Enter a name for the app (e.g., \u201cDoppel App\u201d).\n - **Supported account types**: Choose **Accounts in this organizational directory only** (Default Directory only - Single tenant).\n - **Redirect URI**: Leave this blank unless required otherwise.\n - Click **Register** to create the application.\n\n3. **Copy Application and Tenant IDs**:\n - Once the app is registered, note the **Application (client) ID** and **Directory (tenant) ID** from the **Overview** page. You\u2019ll need these for the integration.\n\n4. **Create a Client Secret**:\n - In the **Certificates & secrets** section, click **+ New client secret**.\n - Add a description (e.g., 'Doppel Secret') and set an expiration (e.g., 1 year).\n - Click **Add**.\n - **Copy the client secret value immediately**, as it will not be shown again.""}, {""title"": ""Assign the \""Monitoring Metrics Publisher\"" Role to the App"", ""description"": ""1. **Open the Resource Group in Azure Portal**:\n - Navigate to the **Resource Group** that contains the **Log Analytics Workspace** and **Data Collection Rules (DCRs)** where you want the app to push data.\n\n2. **Assign the Role**:\n - In the **Resource Group** menu, click on **Access control (IAM)** mentioned on the left-hand side tab ..\n - Click on **+ Add** and select **Add role assignment**.\n - In the **Role** dropdown, search for and select the **Monitoring Metrics Publisher** role.\n - Under **Assign access to**, choose **Azure AD user, group, or service principal**.\n - In the **Select** field, search for your registered app by **name** or **client ID**.\n - Click **Save** to assign the role to the application.""}, {""title"": ""Deploy the ARM Template"", ""description"": ""1. **Retrieve the Workspace ID**:\n - After assigning the role, you will need the **Workspace ID**.\n - Navigate to the **Log Analytics Workspace** within the **Resource Group**.\n - In the **Overview** section, locate the **Workspace ID** field under **Workspace details**.\n - **Copy the Workspace ID** and keep it handy for the next steps.\n\n2. **Click the Deploy to Azure Button**:\n - [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fmetron-labs%2FAzure-Sentinel%2Frefs%2Fheads%2FDoppelSolution%2FSolutions%2FDoppel%2FData%2520Connectors%2FDeployToAzure.json).\n - This will take you directly to the Azure portal to start the deployment.\n\n3. **Review and Customize Parameters**:\n - On the custom deployment page, ensure you\u2019re deploying to the correct **subscription** and **resource group**.\n - Fill in the parameters like **workspace name**, **workspace ID**, and **workspace location**.\n\n4. **Click Review + Create** and then **Create** to deploy the resources.""}, {""title"": ""Verify DCE, DCR, and Log Analytics Table Setup"", ""description"": ""1. **Check the Data Collection Endpoint (DCE)**:\n - After deploying, go to **Azure Portal > Data Collection Endpoints**.\n - Verify that the **DoppelDCE** endpoint has been created successfully.\n - **Copy the DCE Logs Ingestion URI**, as you\u2019ll need this for generating the webhook URL.\n\n2. **Confirm Data Collection Rule (DCR) Setup**:\n - Go to **Azure Portal > Data Collection Rules**.\n - Ensure the **DoppelDCR** rule is present.\n - **Copy the Immutable ID** of the DCR from the Overview page, as you\u2019ll need it for the webhook URL.\n\n3. **Validate Log Analytics Table**:\n - Navigate to your **Log Analytics Workspace** (linked to Microsoft Sentinel).\n - Under the **Tables** section, verify that the **DoppelTable_CL** table has been created successfully and is ready to receive data.""}, {""title"": ""Integrate Doppel Alerts with Microsoft Sentinel"", ""description"": ""1. **Gather Necessary Information**:\n - Collect the following details required for integration:\n - **Data Collection Endpoint ID (DCE-ID)**\n - **Data Collection Rule ID (DCR-ID)**\n - **Microsoft Entra Credentials**: Tenant ID, Client ID, and Client Secret.\n\n2. **Coordinate with Doppel Support**:\n - Share the collected DCE-ID, DCR-ID, and Microsoft Entra credentials with Doppel support.\n - Request assistance to configure these details in the Doppel tenant to enable webhook setup.\n\n3. **Webhook Setup by Doppel**:\n - Doppel will use the provided Resource IDs and credentials to configure a webhook.\n - This webhook will facilitate the forwarding of alerts from Doppel to Microsoft Sentinel.\n\n4. **Verify Alert Delivery in Microsoft Sentinel**:\n - Check that alerts from Doppel are successfully forwarded to Microsoft Sentinel.\n - Validate that the **Workbook** in Microsoft Sentinel is updated with the alert statistics, ensuring seamless data integration.""}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": false}}], ""customs"": [{""name"": ""Microsoft Entra Tenant ID, Client ID and Client Secret"", ""description"": ""Microsoft Entra ID requires a Client ID and Client Secret to authenticate your application. Additionally, Global Admin/Owner level access is required to assign the Entra-registered application a Resource Group Monitoring Metrics Publisher role.""}, {""name"": ""Requires Workspace ID, DCE-URI, DCR-ID"", ""description"": ""You will need to get the Log Analytics Workspace ID, DCE Logs Ingestion URI and DCR Immutable ID for the configuration.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Doppel/Data%20Connectors/Template_Doppel.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Doppel","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#doppel-data-connector" "DragosSitestoreCCP","Dragos"," Dragos Notifications via Cloud Sitestore","The [Dragos Platform](https://www.dragos.com/) is the leading Industrial Cyber Security platform it offers a comprehensive Operational Technology (OT) cyber threat detection built by unrivaled industrial cybersecurity expertise. This solution enables Dragos Platform notification data to be viewed in Microsoft Sentinel so that security analysts are able to triage potential cyber security events occurring in their industrial environments.","[{""description"": ""Please provide the following information to allow Microsoft Sentinel to connect to your Dragos Sitestore."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Dragos Sitestore Hostname"", ""placeholder"": ""dragossitestore.example.com"", ""type"": ""text"", ""name"": ""dragosSitestoreHostname""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Dragos Sitestore API Key ID"", ""placeholder"": ""Enter the API key ID."", ""type"": ""text"", ""name"": ""username""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Dragos Sitestore API Key Secret"", ""placeholder"": ""Enter the API key secret"", ""type"": ""password"", ""name"": ""password""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Minimum Notification Severity. Valid values are 0-5 inclusive. Ensure less than or equal to maximum severity."", ""placeholder"": ""Enter the min severity (recommend 0 for all notifications)"", ""type"": ""number"", ""name"": ""minSeverity""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Maximum Notification Severity. Valid values are 0-5 inclusive. Ensure greater than or equal to minimum severity."", ""placeholder"": ""Enter the max severity (recommend 5 for all notifications)"", ""type"": ""number"", ""name"": ""maxSeverity""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect to Sitestore"", ""disconnectLabel"": ""Disconnect from Sitestore"", ""name"": ""connectionToggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Dragos Sitestore API access"", ""description"": ""A Sitestore user account that has the `notification:read` permission. This account also needs to have an API key that can be provided to Sentinel.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dragos/Data%20Connectors/DragosSiteStore_CCP/dragosSitestoreDataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Dragos","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dragos/Data%20Connectors/DragosSiteStore_CCP/dcr.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dragos/Data%20Connectors/DragosSiteStore_CCP/dataPoller.json","Basic;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#dragos-notifications-via-cloud-sitestore" "DruvaEventCCPDefinition","Microsoft","Druva Events Connector","Provides capability to ingest the Druva events from Druva APIs","[{""description"": "">Note: Configurations to connect to Druva Rest API\n""}, {""description"": ""Step 1: Create credentials from Druva console. Refer this doc for steps:- https://help.druva.com/en/articles/8580838-create-and-manage-api-credentials\n""}, {""description"": ""Step 2: Enter the hostname. For public cloud its apis.druva.com\n""}, {""description"": ""Step 3: Enter client id and client secret key\n""}, {""description"": ""Provide required values:\n"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Hostname"", ""placeholder"": ""Example: apis.druva.com"", ""type"": ""text"", ""name"": ""hostname""}}, {""type"": ""OAuthForm"", ""parameters"": {""clientIdLabel"": ""Client ID"", ""clientSecretLabel"": ""Client Secret"", ""connectButtonLabel"": ""Connect"", ""disconnectButtonLabel"": ""Disconnect""}}], ""title"": ""Connect to Druva API to start collecting logs in Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permission are required"", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Druva API Access"", ""description"": ""Druva API requires a client id and client secret to authenticate""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DruvaDataSecurityCloud/Data%20Connectors/Druva_ccp/Druva_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","DruvaDataSecurityCloud","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DruvaDataSecurityCloud/Data%20Connectors/Druva_ccp/Druva_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DruvaDataSecurityCloud/Data%20Connectors/Druva_ccp/Druva_PollingConfig.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#druva-events-connector" @@ -213,9 +215,9 @@ "DynatraceProblems","Dynatrace","Dynatrace Problems V1","This connector uses the [Dynatrace Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/problems-v2) to ingest problem events into Microsoft Sentinel Log Analytics","[{""title"": ""Dynatrace Problem Events to Microsoft Sentinel"", ""description"": ""Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{dynatraceEnvironmentUrl}}""}]}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""description"": ""You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial).""}, {""name"": ""Dynatrace Access Token"", ""description"": ""You need a Dynatrace Access Token, the token should have ***Read problems*** (problems.read) scope.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Data%20Connectors/DynatraceProblemsV1/Connector_Dynatrace_Problems.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","","false","Dynatrace","false","","true","","","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#dynatrace-problems-v1" "DynatraceProblemsCCPDefinition","Dynatrace","Dynatrace Problems V2","This connector uses the [Dynatrace Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/problems-v2) to ingest problem events into Microsoft Sentinel Log Analytics","[{""title"": ""Dynatrace Problem Events to Microsoft Sentinel"", ""description"": ""Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""type"": ""text"", ""label"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""placeholder"": ""{{dynatraceEnvironmentUrl}}"", ""name"": ""dynatraceEnvironmentUrl""}, ""type"": ""Textbox""}, {""parameters"": {""enable"": ""true"", ""type"": ""password"", ""label"": ""Dynatrace Access Token"", ""placeholder"": ""{{dynatraceAccessToken}}"", ""name"": ""dynatraceAccessToken""}, ""type"": ""Textbox""}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""connect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""description"": ""You need a valid Dynatrace Tenant, to learn more about the Dynatrace platform [Start your free trial](https://www.dynatrace.com/trial).""}, {""name"": ""Dynatrace Access Token"", ""description"": ""You need a Dynatrace Access Token, the token should have ***Read problems*** (problems.read) scope.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Data%20Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_Definition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Dynatrace","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Data%20Connectors/DynatraceProblemsV2/Connector_Dynatrace_Problems_DCR.json","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#dynatrace-problems-v2" "DynatraceRuntimeVulnerabilities","Dynatrace","Dynatrace Runtime Vulnerabilities V1","This connector uses the [Dynatrace Security Problem REST API](https://docs.dynatrace.com/docs/dynatrace-api/environment-api/application-security/vulnerabilities/get-vulnerabilities) to ingest detected runtime vulnerabilities into Microsoft Sentinel Log Analytics.","[{""title"": ""Dynatrace Vulnerabilities Events to Microsoft Sentinel"", ""description"": ""Configure and Enable Dynatrace [Application Security](https://www.dynatrace.com/platform/application-security/). \n Follow [these instructions](https://docs.dynatrace.com/docs/shortlink/token#create-api-token) to generate an access token."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{dynatraceEnvironmentUrl}}""}]}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Dynatrace tenant (ex. xyz.dynatrace.com)"", ""description"": ""You need a valid Dynatrace tenant with [Application Security](https://www.dynatrace.com/platform/application-security/) enabled, learn more about the [Dynatrace platform](https://www.dynatrace.com/).""}, {""name"": ""Dynatrace Access Token"", ""description"": ""You need a Dynatrace Access Token, the token should have ***Read security problems*** (securityProblems.read) scope.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dynatrace/Data%20Connectors/DynatraceRuntimeVulnerabilitiesV1/Connector_Dynatrace_RuntimeVulnerabilities.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","","false","Dynatrace","false","","true","","","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#dynatrace-runtime-vulnerabilities-v1" -"ESETInspect","ESET Netherlands","ESET Inspect","This connector will ingest detections from [ESET Inspect](https://www.eset.com/int/business/solutions/xdr-extended-detection-and-response/) using the provided [REST API](https://help.eset.com/ei_navigate/latest/en-US/api.html). This API is present in ESET Inspect version 1.4 and later.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to ESET Inspect to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": ""Step 1 - Create an API user"", ""description"": ""1. Log into the ESET PROTECT console with an administrator account, select the **More** tab and the **Users** subtab. \n2. Click on the **ADD NEW** button and add a **native user**.\n3. Create a new user for the API account. **Optional:** Select a **Home group** other than **All** to limit what detections are ingested. \n4. Under the **Permission Sets** tab, assign the **Inspect reviewer permission set**.\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5.""}, {""title"": ""Step 2 - Copy Workspace ID and Key"", ""description"": "">**IMPORTANT:** Before deploying the ESET Inspect connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Step 3 - Deploy the Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the ESET Inspect connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESETInspect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , enter the **Inspect base URL** and the **first ID** to start ingesting detections from.\n - The defailt starting ID is **0**. This means that all detections will be ingested. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labelled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Access to the ESET PROTECT console"", ""description"": ""Permissions to add users""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Inspect/Data%20Connectors/ESETInspect_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","_Computed.Username !contains ""nt authority""","false","ESET Inspect","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" -"ESETPROTECT","ESET","[Deprecated] ESET PROTECT","This connector gathers all events generated by ESET software through the central management solution ESET PROTECT (formerly ESET Security Management Center). This includes Anti-Virus detections, Firewall detections but also more advanced EDR detections. For a complete list of events please refer to [the documentation](https://help.eset.com/protect_admin/latest/en-US/events-exported-to-json-format.html).","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ESETPROTECT and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Parsers/ESETPROTECT.txt).The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities. The default ESET PROTECT facility is **user**.\n3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure ESET PROTECT"", ""description"": ""Configure ESET PROTECT to send all events through Syslog.\n\n1. Follow [these instructions](https://help.eset.com/protect_admin/latest/en-US/admin_server_settings_syslog.html) to configure syslog output. Make sure to select **BSD** as the format and **TCP** as the transport.\n\n2. Follow [these instructions](https://help.eset.com/protect_admin/latest/en-US/admin_server_settings_export_to_syslog.html) to export all logs to syslog. Select **JSON** as the output format.\n\nNote:- Refer to the [documentation](https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#security-considerations) for setting up the log forwarder for both local and cloud storage."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Data%20Connectors/Connector_Syslog_ESETPROTECT.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName == ""ERAServer""","false","ESETPROTECT","true","","true","","","","","","","" -"ESETProtectPlatform","ESET","ESET Protect Platform","The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.","[{""description"": "">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/).""}, {""description"": "">**NOTE:** The newest version of the ESET PROTECT Platform and Microsoft Sentinel integration pulls not only detections logs but also newly created incidents. If your integration was set up before 20.06.2025, please follow [these steps](https://help.eset.com/eset_connect/en-US/update_ms_sentinel_integration.html) to update it.""}, {""title"": ""Step 1 - Create an API user"", ""description"": ""Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**.""}, {""title"": ""Step 2 - Create a registered application"", ""description"": ""Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)""}, {""title"": ""Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template"", ""description"": ""\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.\n\n5. Select one or more ESET products (ESET PROTECT, ESET Inspect, ESET Cloud Office Security) from which detections are retrieved.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Permission to register an application in Microsoft Entra ID"", ""description"": ""Sufficient permissions to register an application with your Microsoft Entra tenant are required.""}, {""name"": ""Permission to assign a role to the registered application"", ""description"": ""Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors/ESETProtectPlatform_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","ESET Protect Platform","false","","false","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#eset-protect-platform-using-azure-functions" +"ESETInspect","ESET Netherlands","ESET Inspect","This connector will ingest detections from [ESET Inspect](https://www.eset.com/int/business/solutions/xdr-extended-detection-and-response/) using the provided [REST API](https://help.eset.com/ei_navigate/latest/en-US/api.html). This API is present in ESET Inspect version 1.4 and later.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to ESET Inspect to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": ""Step 1 - Create an API user"", ""description"": ""1. Log into the ESET PROTECT console with an administrator account, select the **More** tab and the **Users** subtab. \n2. Click on the **ADD NEW** button and add a **native user**.\n3. Create a new user for the API account. **Optional:** Select a **Home group** other than **All** to limit what detections are ingested. \n4. Under the **Permission Sets** tab, assign the **Inspect reviewer permission set**.\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5.""}, {""title"": ""Step 2 - Copy Workspace ID and Key"", ""description"": "">**IMPORTANT:** Before deploying the ESET Inspect connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Step 3 - Deploy the Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the ESET Inspect connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESETInspect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , enter the **Inspect base URL** and the **first ID** to start ingesting detections from.\n - The defailt starting ID is **0**. This means that all detections will be ingested. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labelled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Access to the ESET PROTECT console"", ""description"": ""Permissions to add users""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Inspect/Data%20Connectors/ESETInspect_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","_Computed.Username !contains ""nt authority""","false","ESET Inspect","false","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" +"ESETPROTECT","ESET","[Deprecated] ESET PROTECT","This connector gathers all events generated by ESET software through the central management solution ESET PROTECT (formerly ESET Security Management Center). This includes Anti-Virus detections, Firewall detections but also more advanced EDR detections. For a complete list of events please refer to [the documentation](https://help.eset.com/protect_admin/latest/en-US/events-exported-to-json-format.html).","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ESETPROTECT and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Parsers/ESETPROTECT.txt).The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities. The default ESET PROTECT facility is **user**.\n3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure ESET PROTECT"", ""description"": ""Configure ESET PROTECT to send all events through Syslog.\n\n1. Follow [these instructions](https://help.eset.com/protect_admin/latest/en-US/admin_server_settings_syslog.html) to configure syslog output. Make sure to select **BSD** as the format and **TCP** as the transport.\n\n2. Follow [these instructions](https://help.eset.com/protect_admin/latest/en-US/admin_server_settings_export_to_syslog.html) to export all logs to syslog. Select **JSON** as the output format.\n\nNote:- Refer to the [documentation](https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#security-considerations) for setting up the log forwarder for both local and cloud storage."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Data%20Connectors/Connector_Syslog_ESETPROTECT.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName == ""ERAServer""","false","ESETPROTECT","true","","false","","","","","","","" +"ESETProtectPlatform","ESET","ESET Protect Platform","The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.","[{""description"": "">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/).""}, {""description"": "">**NOTE:** The newest version of the ESET PROTECT Platform and Microsoft Sentinel integration pulls not only detections logs but also newly created incidents. If your integration was set up before 20.06.2025, please follow [these steps](https://help.eset.com/eset_connect/en-US/update_ms_sentinel_integration.html) to update it.""}, {""title"": ""Step 1 - Create an API user"", ""description"": ""Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**.""}, {""title"": ""Step 2 - Create a registered application"", ""description"": ""Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)""}, {""title"": ""Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template"", ""description"": ""\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.\n\n5. Select one or more ESET products (ESET PROTECT, ESET Inspect, ESET Cloud Office Security) from which detections are retrieved.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Permission to register an application in Microsoft Entra ID"", ""description"": ""Sufficient permissions to register an application with your Microsoft Entra tenant are required.""}, {""name"": ""Permission to assign a role to the registered application"", ""description"": ""Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors/ESETProtectPlatform_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","ESET Protect Platform","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#eset-protect-platform-using-azure-functions" "ESI-ExchangeAdminAuditLogEvents","Microsoft","[Deprecated] Microsoft Exchange Logs and Events","Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment","[{""description"": "">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)""}, {""title"": ""1. Download and install the agents needed to collect logs for Microsoft Sentinel"", ""description"": ""Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Deploy Monitor Agents"", ""description"": ""This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers"", ""instructions"": [{""parameters"": {""title"": ""Select which agent you want to install in your servers to collect logs:"", ""instructionSteps"": [{""title"": ""[Prefered] Azure Monitor Agent via Azure Arc"", ""description"": ""**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""title"": ""Install Azure Log Analytics Agent (Deprecated on 31/08/2024)"", ""description"": ""1. Download the Azure Log Analytics Agent and choose the deployment method in the below link."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Deploy log injestion following choosed options"", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""[Option 1] MS Exchange Management Log collection"", ""description"": ""Select how to stream MS Exchange Admin Audit event logs"", ""instructions"": [{""parameters"": {""title"": ""MS Exchange Admin Audit event logs"", ""instructionSteps"": [{""title"": ""Data Collection Rules - When Azure Monitor Agent is used"", ""description"": ""**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Automation"", ""description"": ""Use the following step-by-step instructions to deploy manually a Data Collection Rule."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCR, Type Event log"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Assign the DCR to all Exchange Servers"", ""description"": ""Add all your Exchange Servers to the DCR""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Data Collection Rules - When the legacy Azure Log Analytics Agent is used"", ""description"": ""**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""instructionSteps"": [{""title"": ""[Option 2] Security/Application/System logs of Exchange Servers"", ""description"": ""Select how to stream Security/Application/System logs of Exchange Servers"", ""instructions"": [{""parameters"": {""title"": ""Security Event log collection"", ""instructionSteps"": [{""title"": ""Data Collection Rules - Security Event logs"", ""description"": ""**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition."", ""instructions"": [{""parameters"": {""linkType"": ""OpenCreateDataCollectionRule"", ""dataCollectionRuleType"": 0}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""title"": ""Application and System Event log collection"", ""instructionSteps"": [{""title"": ""Data Collection Rules - When Azure Monitor Agent is used"", ""description"": ""**Enable data collection rule**\n> Application and System Events logs are collected only from **Windows** agents."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Automation"", ""description"": ""Use the following step-by-step instructions to deploy manually a Data Collection Rule."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCR, Type Event log"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Assign the DCR to all Exchange Servers"", ""description"": ""Add all your Exchange Servers to the DCR""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Data Collection Rules - When the legacy Azure Log Analytics Agent is used"", ""description"": ""**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Windows Event logs**.\n2. Click **Add Windows event log** and search **Application** as log name.\n3. Click **Add Windows event log** and search **System** as log name.\n4. Collect Error (for all), Warning (for all) and Information (for System) types\n5. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""instructionSteps"": [{""title"": ""[Option 3 and 4] Security logs of Domain Controllers"", ""description"": ""Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step"", ""description"": ""**This limits the quantity of data injested but some incident can't be detected.**""}, {""title"": ""[Option 4] List all Domain Controllers of your Active-Directory Forest for next step"", ""description"": ""**This allows collecting all security events**""}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""title"": ""Security Event log collection"", ""instructionSteps"": [{""title"": ""Data Collection Rules - Security Event logs"", ""description"": ""**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition."", ""instructions"": [{""parameters"": {""linkType"": ""OpenCreateDataCollectionRule"", ""dataCollectionRuleType"": 0}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""instructionSteps"": [{""title"": ""[Option 5] IIS logs of Exchange Servers"", ""description"": ""Select how to stream IIS logs of Exchange Servers"", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Data Collection Rules - When Azure Monitor Agent is used"", ""description"": ""**Enable data collection rule**\n> IIS logs are collected only from **Windows** agents."", ""instructions"": [{""type"": ""AdminAuditEvents""}, {""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the DCE and DCR."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCE (If not already created for Exchange Servers)"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy.""}, {""title"": ""B. Deploy Data Connection Rule"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Option 2 - Manual Deployment of Azure Automation"", ""description"": ""Use the following step-by-step instructions to deploy manually a Data Collection Rule."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCE (If not already created for Exchange Servers)"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**.""}, {""title"": ""B. Create DCR, Type IIS log"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Assign the DCR to all Exchange Servers"", ""description"": ""Add all your Exchange Servers to the DCR""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Data Collection Rules - When the legacy Azure Log Analytics Agent is used"", ""description"": ""**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **IIS Logs**.\n2. Check **Collect W3C format IIS log files**\n5. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""instructionSteps"": [{""title"": ""[Option 6] Message Tracking of Exchange Servers"", ""description"": ""Select how to stream Message Tracking of Exchange Servers"", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Data Collection Rules - When Azure Monitor Agent is used"", ""description"": ""**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents."", ""instructions"": [{""parameters"": {""text"": ""**Attention**, Custom logs in Monitor Agent is in Preview. The deployment doesn't work as expected for the moment (March 2023)."", ""inline"": false}, ""type"": ""InfoMessage""}, {""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the DCE and DCR."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCE (If not already created for Exchange Servers)"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy.""}, {""title"": ""B. Deploy Data Connection Rule and Custom Table"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Option 2 - Manual Deployment of Azure Automation"", ""description"": ""Use the following step-by-step instructions to deploy manually a Data Collection Rule."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCE (If not already created for Exchange Servers)"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**.""}, {""title"": ""B. Create Custom DCR Table"", ""description"": ""1. Download the Example file from [Microsoft Sentinel GitHub](https://aka.ms/Sentinel-Sample-ESI-MessageTrackingExampleFile).\n2. From the Azure Portal, navigate to [Workspace Analytics](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) and select your target Workspace.\n3. Click in 'Tables', click **+ Create** at the top and select **New Custom log (DCR-Based)**.\n4. In the **Basics** tab, enter **MessageTrackingLog** on the Table name, create a Data Collection rule with the name **DCR-Option6-MessageTrackingLogs** (for example) and select the previously created Data collection Endpoint.\n5. In the **Schema and Transformation** tab, choose the downloaded sample file and click on **Transformation Editor**.\n6. In the transformation field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']*\n\n8. Click 'Run' and after 'Apply'.\n9. Click **Next**, then click **Create**.""}, {""title"": ""C. Modify the created DCR, Type Custom log"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Select the previously created DCR, like **DCR-Option6-MessageTrackingLogs**.\n3. In the **Resources** tab, enter you Exchange Servers.\n4. In **Data Sources**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']* \n7. Click on 'Add data source'.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Assign the DCR to all Exchange Servers"", ""description"": ""Add all your Exchange Servers to the DCR""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Data Collection Rules - When the legacy Azure Log Analytics Agent is used"", ""description"": ""**Configure the logs to be collected**\n\n1. Under workspace **Settings** part, select **Tables**, click **+ Create** and click on **New custom log (MMA-Based)**.\n2. Select Sample file **[MessageTracking Sample](https://aka.ms/Sentinel-Sample-ESI-MessageTrackingLogsSampleCSV)** and click Next\n3. Select type **Windows** and enter the path **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log**. Click Next.\n4. Enter **MessageTrackingLog** as Table name and click Next.\n5. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}, {""parameters"": {""instructionSteps"": [{""title"": ""[Option 7] HTTP Proxy of Exchange Servers"", ""description"": ""Select how to stream HTTP Proxy of Exchange Servers"", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Data Collection Rules - When Azure Monitor Agent is used"", ""description"": ""**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents."", ""instructions"": [{""parameters"": {""text"": ""**Attention**, Custom logs in Monitor Agent is in Preview. The deployment doesn't work as expected for the moment (March 2023)."", ""inline"": false}, ""type"": ""InfoMessage""}, {""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the DCE and DCR."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCE (If not already created for Exchange Servers)"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy.""}, {""title"": ""B. Deploy Data Connection Rule"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Option 2 - Manual Deployment of Azure Automation"", ""description"": ""Use the following step-by-step instructions to deploy manually a Data Collection Rule."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create DCE (If not already created for Exchange Servers)"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**.""}, {""title"": ""B. Create Custom DCR Table"", ""description"": ""1. Download the Example file from [Microsoft Sentinel GitHub](https://aka.ms/Sentinel-Sample-ESI-HTTPProxyExampleFile).\n2. From the Azure Portal, navigate to [Workspace Analytics](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces) and select your target Workspace.\n3. Click in 'Tables', click **+ Create** at the top and select **New Custom log (DCR-Based)**.\n4. In the **Basics** tab, enter **ExchangeHttpProxy** on the Table name, create a Data Collection rule with the name **DCR-Option7-HTTPProxyLogs** (for example) and select the previously created Data collection Endpoint.\n5. In the **Schema and Transformation** tab, choose the downloaded sample file and click on **Transformation Editor**.\n6. In the transformation field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime\n*\n\n8. Click 'Run' and after 'Apply'.\n9. Click **Next**, then click **Create**.""}, {""title"": ""C. Modify the created DCR, Type Custom log"", ""description"": ""1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Select the previously created DCR, like **DCR-Option7-HTTPProxyLogs**.\n3. In the **Resources** tab, enter you Exchange Servers.\n4. In **Data Sources**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log' in file pattern, 'ExchangeHttpProxy_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n*source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime* \n7. Click on 'Add data source'.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Assign the DCR to all Exchange Servers"", ""description"": ""Add all your Exchange Servers to the DCR""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Data Collection Rules - When the legacy Azure Log Analytics Agent is used"", ""description"": ""**Configure the logs to be collected**\n\n1. Under workspace **Settings** part, select **Tables**, click **+ Create** and click on **New custom log (MMA-Based)**.\n2. Select Sample file **[MessageTracking Sample](https://aka.ms/Sentinel-Sample-ESI-HttpProxySampleCSV)** and click Next\n3. Select type **Windows** and enter all the following paths **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log**, **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log** and **C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log** . Click Next.\n4. Enter **ExchangeHttpProxy** as Table name and click Next.\n5. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"", ""instructions"": [{""parameters"": {""title"": ""Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below"", ""instructionSteps"": [{""title"": ""Manual Parser Deployment"", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""1. Download the Parser file"", ""description"": ""The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)""}, {""title"": ""2. Create Parser **ExchangeAdminAuditLogs** function"", ""description"": ""In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer""}, {""title"": ""3. Save Parser **ExchangeAdminAuditLogs** function"", ""description"": ""Click on save button.\n No parameter is needed for this parser.\nClick save again.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""name"": ""Detailled documentation"", ""description"": "">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/Data%20Connectors/ESI-ExchangeAdminAuditLogEvents.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Event.EventLog in ""Application,MSExchange Management,System""","false","Microsoft Exchange Security - Exchange On-Premises","true","","true","","","","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#deprecated-microsoft-exchange-logs-and-events" "ESI-ExchangeOnPremisesCollector","Microsoft","Exchange Security Insights On-Premises Collector","Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis","[{""title"": ""1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console"", ""description"": ""This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n "", ""instructions"": [{""parameters"": {""title"": ""Script Deployment"", ""instructionSteps"": [{""title"": ""Download the latest version of ESI Collector"", ""description"": ""The latest version can be found here : https://aka.ms/ESI-ExchangeCollector-Script. The file to download is CollectExchSecIns.zip""}, {""title"": ""Copy the script folder"", ""description"": ""Unzip the content and copy the script folder on a server where Exchange PowerShell Cmdlets are present.""}, {""title"": ""Unblock the PS1 Scripts"", ""description"": ""Click right on each PS1 Script and go to Properties tab.\n If the script is marked as blocked, unblock it. You can also use the Cmdlet 'Unblock-File *.* in the unzipped folder using PowerShell.""}, {""title"": ""Configure Network Access "", ""description"": ""Ensure that the script can contact Azure Analytics (*.ods.opinsights.azure.com).""}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the ESI Collector Script"", ""description"": ""Be sure to be local administrator of the server.\nIn 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the collector.\n Fill the Log Analytics (Microsoft Sentinel) Workspace information.\n Fill the Environment name or leave empty. By default, choose 'Def' as Default analysis. The other choices are for specific usage."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)"", ""description"": ""The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management""}, {""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)"", ""instructions"": [{""parameters"": {""title"": ""Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below"", ""instructionSteps"": [{""title"": ""Manual Parser Deployment"", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""1. Download the Parser file"", ""description"": ""The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)""}, {""title"": ""2. Create Parser **ExchangeAdminAuditLogs** function"", ""description"": ""In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer""}, {""title"": ""3. Save Parser **ExchangeAdminAuditLogs** function"", ""description"": ""Click on save button.\n No parameter is needed for this parser.\nClick save again.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Service Account with Organization Management role"", ""description"": ""The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information.""}, {""name"": ""Detailled documentation"", ""description"": "">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/Data%20Connectors/ESI-ExchangeOnPremisesCollector.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Microsoft Exchange Security - Exchange On-Premises","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#exchange-security-insights-on-premises-collector" "ESI-ExchangeOnlineCollector","Microsoft","Exchange Security Insights Online Collector","Connector used to push Exchange Online Security configuration for Microsoft Sentinel Analysis","[{""description"": "">**NOTE - UPDATE**"", ""instructions"": [{""parameters"": {""text"": ""

NOTE - UPDATE:

We recommend to Update the Collector to Version 7.6.0.0 or highier.
The Collector Script Update procedure could be found here : ESI Online Collector Update"", ""visible"": true, ""inline"": false}, ""type"": ""InfoMessage""}]}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-Online-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-Online-parser) \n\n**STEP 1 - Parsers deployment**"", ""instructions"": [{""parameters"": {""title"": ""Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)"", ""instructionSteps"": [{""title"": ""1. Download the Parser files"", ""description"": ""The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-Online-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-Online-parser)""}, {""title"": ""2. Create Parser **ExchangeConfiguration** function"", ""description"": ""In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer""}, {""title"": ""3. Save Parser **ExchangeConfiguration** function"", ""description"": ""Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again.""}, {""title"": ""4. Reproduce the same steps for Parser **ExchangeEnvironmentList**"", ""description"": ""Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file""}]}, ""type"": ""InstructionStepsGroup""}]}, {""description"": "">**NOTE:** This connector uses Azure Automation to connect to 'Exchange Online' to pull its Security analysis into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Automation pricing page](https://azure.microsoft.com/pricing/details/automation/) for details.""}, {""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Automation**\n\n>**IMPORTANT:** Before deploying the 'ESI Exchange Online Security Configuration' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Exchange Online tenant name (contoso.onmicrosoft.com), readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the 'ESI Exchange Online Security Configuration' connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-ExchangeCollector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Tenant Name**, 'and/or Other required fields'. \n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""description"": ""**Option 2 - Manual Deployment of Azure Automation**\n\n Use the following step-by-step instructions to deploy the 'ESI Exchange Online Security Configuration' connector manually with Azure Automation."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""A. Create the Azure Automation Account"", ""description"": ""1. From the Azure Portal, navigate to [Azure Automation Account](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Automation%2FAutomationAccounts).\n2. Click **+ Add** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the Azure Automation. \n4. In the **Advanced** and **Networking** and **Tags** Tabs, leave fields as default if you don't need to customize them.\n5. 'Make other preferable configuration changes', if needed, then click **Create**.""}, {""title"": ""B. Add Exchange Online Management Module, Microsoft Graph (Authentication, User and Group) Modules"", ""description"": ""1. On the Automation Account page, select **Modules**.\n2. Click on **Browse gallery** and search the **ExchangeOnlineManagement** module.\n3. Select it and click on **Select**.\n4. Choose Version **5.1** on Runtime version field and click on Import button.\nRepeat the step for the following modules : 'Microsoft.Graph.Authentication', 'Microsoft.Graph.Users' and 'Microsoft.Graph.Groups. **Attention, you need to wait for Microsoft.Graph.Authentication installation before processing next modules**""}, {""title"": ""C. Download the Runbook Content"", ""description"": ""1. Download the latest version of ESI Collector. The latest version can be found here : https://aka.ms/ESI-ExchangeCollector-Script\n2. Unzip the file to find the JSON file and the PS1 file for next step.\n""}, {""title"": ""D. Create Runbook"", ""description"": ""1. On the Automation Account page, select the **Runbooks** button.\n2. Click on **Create a runbook** and name it like 'ESI-Collector' with a runbook type **PowerShell**, Runtime Version **5.1** and click 'Create'.\n2. Import the content of the previous step's PS1 file in the Runbook window.\n3. Click on **Publish**""}, {""title"": ""E. Create GlobalConfiguration Variable"", ""description"": ""1. On the Automation Account page, select the **Variables** button.\n2. Click on **Add a Variable** and name it exaclty 'GlobalConfiguration' with a type **String**.\n2. On 'Value' field, copy the content of the previous step's JSON file.\n3. Inside the content, replace the values of **WorkspaceID** and **WorkspaceKey**.\n4. Click on 'Create' button.""}, {""title"": ""F. Create TenantName Variable"", ""description"": ""1. On the Automation Account page, select the **Variables** button.\n2. Click on **Add a Variable** and name it exaclty 'TenantName' with a type **String**.\n3. On 'Value' field, write the tenant name of your Exchange Online.\n4. Click on 'Create' button.""}, {""title"": ""G. Create LastDateTracking Variable"", ""description"": ""1. On the Automation Account page, select the **Variables** button.\n2. Click on **Add a Variable** and name it exaclty 'LastDateTracking' with a type **String**.\n3. On 'Value' field, write 'Never'.\n4. Click on 'Create' button.""}, {""title"": ""H. Create a Runbook Schedule"", ""description"": ""1. On the Automation Account page, select the **Runbook** button and click on your created runbook.\n2. Click on **Schedules** and **Add a schedule** button.\n3. Click on **Schedule**, **Add a Schedule** and name it. Select **Recurring** value with a reccurence of every 1 day, click 'Create'.\n4. Click on 'Configure parameters and run settings'. Leave all empty and click on **OK** and **OK** again.""}]}, ""type"": ""InstructionStepsGroup""}]}, {""description"": ""**STEP 3 - Assign Microsoft Graph Permission and Exchange Online Permission to Managed Identity Account** \n\nTo be able to collect Exchange Online information and to be able to retrieve User information and memberlist of admin groups, the automation account need multiple permission."", ""instructions"": [{""parameters"": {""title"": ""Assign Permissions by Script"", ""instructionSteps"": [{""title"": ""A. Download Permission Script"", ""description"": ""[Permission Update script](https://aka.ms/ESI-ExchangeCollector-Permissions)""}, {""title"": ""B. Retrieve the Azure Automation Managed Identity GUID and insert it in the downloaded script"", ""description"": ""1. Go to your Automation Account, in the **Identity** Section. You can find the Guid of your Managed Identity.\n2. Replace the GUID in $MI_ID = \""XXXXXXXXXXX\"" with the GUID of your Managed Identity.""}, {""title"": ""C. Launch the script with a **Global-Administrator** account"", ""description"": ""**Attention this script requires MSGraph Modules and Admin Consent to access to your tenant with Microsoft Graph**.\n\tThe script will add 3 permissions to the Managed identity:\n\t1. Exchange Online ManageAsApp permission\n\t2. User.Read.All on Microsoft Graph API\n\t3. Group.Read.All on Microsoft Graph API""}, {""title"": ""D. Exchange Online Role Assignment"", ""description"": ""1. As a **Global Administrator**, go to **Roles and Administrators**.\n2. Select **Global Reader** role or **Security Reader** and click to 'Add assignments'.\n3. Click on 'No member selected' and search your Managed Identity account Name beginning by **the name of your automation account** like 'ESI-Collector'. Select it and click on 'Select'.\n4. Click **Next** and validate the assignment by clicking **Assign**.""}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""microsoft.automation/automationaccounts permissions"", ""description"": ""Read and write permissions to create an Azure Automation with a Runbook is required. [See the documentation to learn more about Automation Account](https://learn.microsoft.com/en-us/azure/automation/overview).""}, {""name"": ""Microsoft.Graph permissions"", ""description"": ""Groups.Read, Users.Read and Auditing.Read permissions are required to retrieve user/group information linked to Exchange Online assignments. [See the documentation to learn more](https://aka.ms/sentinel-ESI-OnlineCollectorPermissions).""}, {""name"": ""Exchange Online permissions"", ""description"": ""Exchange.ManageAsApp permission and **Global Reader** or **Security Reader** Role are needed to retrieve the Exchange Online Security Configuration.[See the documentation to learn more](https://aka.ms/sentinel-ESI-OnlineCollectorPermissions).""}, {""name"": ""(Optional) Log Storage permissions"", ""description"": ""Storage Blob Data Contributor to a storage account linked to the Automation Account Managed identity or an Application ID is mandatory to store logs.[See the documentation to learn more](https://aka.ms/sentinel-ESI-OnlineCollectorPermissions).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/Data%20Connectors/ESI-ExchangeOnlineCollector.json","","Azure Function","Deploy Azure Function pattern","","","","","false","Microsoft Exchange Security - Exchange Online","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#exchange-security-insights-online-collector-using-azure-functions" @@ -241,6 +243,7 @@ "F5Ama","F5 Networks","[Deprecated] F5 Networks via AMA","The F5 firewall connector allows you to easily connect your F5 logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine""}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Configure F5 to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [F5 Configuring Application Security Event Logging](https://aka.ms/asi-syslog-f5-forwarding), follow the instructions to set up remote logging, using the following guidelines:\n\n1. Set the **Remote storage type** to CEF.\n2. Set the **Protocol setting** to UDP.\n3. Set the **IP address** to the Syslog server IP address.\n4. Set the **port number** to 514, or the port your agent uses.\n5. Set the **facility** to the one that you configured in the Syslog agent (by default, the agent sets this to local4).\n6. You can set the **Maximum Query String Size** to be the same as you configured.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/F5%20Networks/Data%20Connectors/template_F5NetworksAMA.json","","AMA","Title/ID indicates AMA","F5","","{""CommonSecurityLog"": {""vendor"": [""F5""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""F5""","false","F5 Networks","true","","true","","","","","","","" "F5BigIp","F5 Networks","F5 BIG-IP","The F5 firewall connector allows you to easily connect your F5 logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.","[{""title"": ""Configure and connect F5 BIGIP"", ""description"": ""To connect your F5 BIGIP, you have to post a JSON declaration to the system\u2019s API endpoint. For instructions on how to do this, see [Integrating the F5 BGIP with Microsoft Sentinel](https://aka.ms/F5BigIp-Integrate)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/F5%20BIG-IP/Data%20Connectors/F5BigIp.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","F5 Big-IP","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#f5-big-ip" "FeedlyCCPDefinition","Feedly","Feedly IoC","The [Feedly](https://feedly.com/) IoC data connector provides the capability to ingest Indicators of Compromise (IoCs) from Feedly API into Microsoft Sentinel.","[{""description"": ""1) Go to https://feedly.com/i/team/api and generate a new API token for the connector.\n2) In Sentinel, in the connector page - provide your Feedly API Key and Stream IDs. Then click \""Connect\""."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Feedly API Key"", ""placeholder"": ""Enter your Feedly API token"", ""type"": ""password"", ""name"": ""feedlyApiKey"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Feedly Stream IDs"", ""placeholder"": ""streamId1,streamId2,streamId3"", ""type"": ""text"", ""name"": ""feedlyStreamIds"", ""required"": true}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""connect""}}], ""title"": ""Connect to Feedly to start collecting IoCs in Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Feedly API access"", ""description"": ""Access to the Feedly API is required. You need a Feedly API token with access to the IoC streams you want to ingest. Generate your API token at https://feedly.com/i/team/api""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Feedly/Data%20Connectors/Feedly_CCF/Feedly_DataConnectorDefinition.json","","CCF","Has dcrConfig with RestApiPoller","","","","","false","Feedly","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Feedly/Data%20Connectors/Feedly_CCF/Feedly_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Feedly/Data%20Connectors/Feedly_CCF/Feedly_PollingConfig.json","APIKey;Paging","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#feedly-ioc" +"FieldEffectCCF","Field Effect","Field Effect MDR Data Connector (via Codeless Connector Framework)","This solution enables Microsoft Sentinel to ingest Field Effect MDR data using the Codeless Connector Framework (CCF). The connector polls the Field Effect ARO API and sends results to a Log Analytics custom table for hunting, correlation, and alerting within Sentinel.","[{""title"": ""Configure Field Effect Connector"", ""description"": ""1. In the Field Effect MDR portal, generate an API Key. \n2. Copy your Organization ID from the portal. \n3. Enter both values below and connect."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""Enter your Field Effect API Key"", ""type"": ""password"", ""name"": ""bearerToken""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Organization ID"", ""placeholder"": ""Enter your Field Effect Organization ID"", ""type"": ""text"", ""name"": ""organizationId""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect to Field Effect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR/Data%20Connectors/FieldEffect_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","FieldEffectMDR","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR/Data%20Connectors/FieldEffect_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR/Data%20Connectors/FieldEffect_PollerConfig.json","APIKey","","","","" "FilewallM365","Filewall","Filewall for Microsoft 365","Ingest events from Filewall into Microsoft Sentinel (Exchange, SharePoint, OneDrive and Teams).","[{""description"": ""Click **Add connection**, paste your Filewall API key, and click **Connect**. This will create 4 polling connections (Exchange, SharePoint, OneDrive, Teams)."", ""instructions"": [{""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Connection"", ""columnValue"": ""name""}, {""columnName"": ""API Endpoint"", ""columnValue"": ""properties.request.apiEndpoint""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add connection"", ""title"": ""Add connection"", ""subtitle"": ""Connect Filewall to Microsoft Sentinel"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""API Endpoint URL"", ""tooltip"": ""Enter the Filewall API endpoint."", ""placeholder"": ""API Endpoint URL"", ""type"": ""text"", ""name"": ""apiEndpoint"", ""defaultValue"": ""https://api.filewall.com/api/v1/logs""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Filewall API Key"", ""tooltip"": ""Paste the Filewall API key from the Filewall admin console."", ""placeholder"": ""Paste your Filewall API key"", ""type"": ""password"", ""name"": ""apiKey""}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Filewall API access"", ""description"": ""A Filewall API key is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall%20for%20Microsoft%20365/Data%20Connectors/FilewallM365Logs_CCP/FilewallM365_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Filewall for Microsoft 365","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall%20for%20Microsoft%20365/Data%20Connectors/FilewallM365Logs_CCP/FilewallM365_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall%20for%20Microsoft%20365/Data%20Connectors/FilewallM365Logs_CCP/FilewallM365_PollingConfig.json","APIKey;Paging","","","","" "FireEyeNX","FireEye","[Deprecated] FireEye Network Security (NX) via Legacy Agent","The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using FEOS release v9.0"", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure FireEye NX to send logs using CEF"", ""description"": ""Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FireEye%20Network%20Security/Data%20Connectors/Connector_FireEyeNX_CEF.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceVendor =~ ""FireEye""","true","FireEye Network Security","true","","true","","","","","","","" "FireEyeNXAma","FireEye","[Deprecated] FireEye Network Security (NX) via AMA","The [FireEye Network Security (NX)](https://www.fireeye.com/products/network-security.html) data connector provides the capability to ingest FireEye Network Security logs into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**FireEyeNXEvent**](https://aka.ms/sentinel-FireEyeNX-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Configure FireEye NX to send logs using CEF"", ""description"": ""Complete the following steps to send data using CEF:\n\n2.1. Log into the FireEye appliance with an administrator account\n\n2.2. Click **Settings**\n\n2.3. Click **Notifications**\n\nClick **rsyslog**\n\n2.4. Check the **Event type** check box\n\n2.5. Make sure Rsyslog settings are:\n\n- Default format: CEF\n\n- Default delivery: Per event\n\n- Default send as: Alert"", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FireEye%20Network%20Security/Data%20Connectors/template_FireEyeNX_CEFAMA.json","","AMA","Title/ID indicates AMA","FireEye","","{""CommonSecurityLog"": {""vendor"": [""FireEye""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""FireEye""","true","FireEye Network Security","true","","true","","","","","","","" @@ -261,7 +264,7 @@ "FortinetFortiNdrCloudDataConnector","Fortinet","Fortinet FortiNDR Cloud","The Fortinet FortiNDR Cloud data connector provides the capability to ingest [Fortinet FortiNDR Cloud](https://docs.fortinet.com/product/fortindr-cloud) data into Microsoft Sentinel using the FortiNDR Cloud API","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the FortiNDR Cloud API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">**NOTE:** This connector uses a parser based on a Kusto Function to normalize fields. [Follow these steps](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Fortinet%20FortiNDR%20Cloud/Parsers/Fortinet_FortiNDR_Cloud.md) to create the Kusto function alias **Fortinet_FortiNDR_Cloud**.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Fortinet FortiNDR Cloud Logs Collection**\n\nThe provider should provide or link to detailed steps to configure the 'PROVIDER NAME APPLICATION NAME' API endpoint so that the Azure Function can authenticate to it successfully, get its authorization key or token, and pull the appliance's logs into Microsoft Sentinel.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Fortinet FortiNDR Cloud connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the as well as the FortiNDR Cloud API credentials (available in FortiNDR Cloud account management), readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the Fortinet FortiNDR Cloud connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-FortinetFortiNDR-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**(Make sure using the same location as your Resource Group, and got the location supports Flex Consumption. \n3. Enter the **Workspace ID**, **Workspace Key**, **AwsAccessKeyId**, **AwsSecretAccessKey**, and/or Other required fields. \n4. Click **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""MetaStream Credentials"", ""description"": ""**AWS Access Key Id**, **AWS Secret Access Key**, **FortiNDR Cloud Account Code** are required to retrieve event data.""}, {""name"": ""API Credentials"", ""description"": ""**FortiNDR Cloud API Token**, **FortiNDR Cloud Account UUID** are required to retrieve detection data.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Fortinet%20FortiNDR%20Cloud/Data%20Connectors/FortinetFortiNdrCloud_API_AzureFunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Fortinet FortiNDR Cloud","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#fortinet-fortindr-cloud" "FortinetFortiWeb","Microsoft","[Deprecated] Fortinet FortiWeb Web Application Firewall via Legacy Agent","The [fortiweb](https://www.fortinet.com/products/web-application-firewall/fortiweb) data connector provides the capability to ingest Threat Analytics and events into Microsoft Sentinel.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Fortinet%20FortiWeb%20Cloud%20WAF-as-a-Service%20connector%20for%20Microsoft%20Sentinel/Data%20Connectors/Fortiweb.json","","AMA","Title mentions Legacy Agent","Fortinet","Fortiweb","{""CommonSecurityLog"": {""vendor"": [""Fortinet""], ""product"": [""Fortiweb""]}}","CommonSecurityLog.DeviceProduct == ""Fortiweb"" | CommonSecurityLog.DeviceProduct has ""Fortiweb"" | CommonSecurityLog.DeviceVendor =~ ""Fortinet"" | _Computed.DeviceCustomNumber2Label =~ ""length"" | _Computed.DeviceCustomNumber3Label =~ ""signatureID"" | _Computed.DeviceCustomString1Label =~ ""appName"" | _Computed.DeviceCustomString2Label =~ ""srcCountry"" | _Computed.DeviceCustomString3Label =~ ""mainType"" | _Computed.DeviceCustomString4Label =~ ""subType"" | _Computed.DeviceCustomString5Label =~ ""threatLevel"" | _Computed.DeviceCustomString6Label =~ ""owaspTop10""","true","Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel","true","","false","","","","","","","" "FortinetFortiWebAma","Microsoft","Fortinet FortiWeb Web Application Firewall via AMA","The [fortiweb](https://www.fortinet.com/products/web-application-firewall/fortiweb) data connector provides the capability to ingest Threat Analytics and events into Microsoft Sentinel.","[{""title"": """", ""description"": """", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine""}, {""title"": ""Step B. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Fortinet%20FortiWeb%20Cloud%20WAF-as-a-Service%20connector%20for%20Microsoft%20Sentinel/Data%20Connectors/template_FortiwebAma.json","","AMA","Title/ID indicates AMA","","","","CommonSecurityLog.Computer contains ""Fortiweb"" | CommonSecurityLog.DeviceProduct contains ""Fortiweb"" | CommonSecurityLog.DeviceProduct has ""Fortiweb"" | CommonSecurityLog.DeviceVendor =~ ""Fortinet"" | CommonSecurityLog.DeviceVendor contains ""Fortinet"" | _Computed.DeviceCustomNumber2Label =~ ""length"" | _Computed.DeviceCustomNumber3Label =~ ""signatureID"" | _Computed.DeviceCustomString1Label =~ ""appName"" | _Computed.DeviceCustomString2Label =~ ""srcCountry"" | _Computed.DeviceCustomString3Label =~ ""mainType"" | _Computed.DeviceCustomString4Label =~ ""subType"" | _Computed.DeviceCustomString5Label =~ ""threatLevel"" | _Computed.DeviceCustomString6Label =~ ""owaspTop10""","false","Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel","false","","true","","","","","","","" -"FortyTwoCrunchAPIProtection","Microsoft Corporation","42Crunch API Protection (Push Connector via Codeless Connector Framework)","Connects the 42Crunch API protection to Microsoft Sentinel via the Azure Monitor DCE/DCR REST API interface. The integration uses Docker containers (API Firewall and Log Forwarder) to forward API traffic logs to Microsoft Sentinel for threat detection and analysis.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""This connector receives data from external security systems that push logs to Microsoft Sentinel. The external system must be configured to send raw event data to the Microsoft Sentinel Ingestion API. Clicking on **Deploy** will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.\n\n[Learn more about the connector setup process](https://review.learn.microsoft.com/azure/sentinel/create-push-codeless-connector)"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""## Azure Resource Deployment\n\nThe deployment process will create the following resources:\n- Log Analytics custom table(s)\n- Data Collection Endpoint (DCE)\n- Data Collection Rule (DCR)\n- Entra ID Application Registration\n- Role assignments for data ingestion""}}, {""type"": ""DeployPushConnectorButton"", ""parameters"": {""label"": ""Deploy 42Crunch API Protection connector resources"", ""applicationDisplayName"": ""42Crunch API Protection (Push Connector via Codeless Connector Framework)""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Configuration Values\n\nAfter deployment, copy the following values to configure your external security system:""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""TenantId""], ""label"": ""Tenant ID (Directory ID)"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""ApplicationId""], ""label"": ""Entra App Registration Application ID"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""ApplicationSecret""], ""label"": ""Entra App Registration Secret"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""DataCollectionEndpoint""], ""label"": ""Data Collection Endpoint Url"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""DataCollectionRuleId""], ""label"": ""Data Collection Rule Immutable ID"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [], ""label"": ""Stream Name (FortyTwoCrunchAPIProtectionV2)"", ""value"": ""Custom-FortyTwoCrunchAPIProtectionV2_CL""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Keep these values secure. You will need them to configure your external security system."", ""visible"": true, ""inline"": true}}]}, {""title"": ""2. Configure your external system to push logs"", ""description"": ""Use the following parameters to configure your external security system to send logs to the workspace.\n\n### Configuration Steps\n\n1. Access your external security system's configuration interface.\n2. Navigate to the data forwarding, integration, or SIEM settings.\n3. Select **Azure Monitor** or **Microsoft Sentinel** as the destination.\n4. Select **Data Collection Endpoint** as the authentication method.\n5. Configure the required fields using the values from the previous step:\n - **Tenant ID**: Copy from above\n - **Application (Client) ID**: Copy from above\n - **Client Secret**: Copy from above\n - **Data Collection Endpoint**: Copy from above\n - **Data Collection Rule Immutable ID**: Copy from above\n - **Stream Name**: Copy the appropriate stream name from above\n6. Save the configuration and enable/start the forwarder.\n\n### Validation\n\n> **Note**: Data will appear in the **FortyTwoCrunchAPIProtectionV2** table in your Log Analytics workspace within a few minutes.\n\nTo verify data is being received, run the following query in your Log Analytics workspace:\n\n```kusto\nFortyTwoCrunchAPIProtectionV2\n| where TimeGenerated > ago(1h)\n| take 10\n```\n\n### Troubleshooting\n\nIf data is not appearing:\n- Verify the configuration values are correct\n- Check that the forwarder/integration is enabled and running\n- Review logs in your external security system for any errors\n- Ensure network connectivity from your system to Azure\n- Verify the Entra application has the correct permissions"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""After deploying the Azure resources, configure the **42Crunch Log Forwarder** Docker container to send data to the deployed DCE/DCR endpoints instead of the legacy HTTP Data Collector API.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Update Docker Compose / Helm Chart Environment Variables\n\nReplace the legacy `WORKSPACE_ID` and `WORKSPACE_KEY` environment variables with the new DCE/DCR configuration:\n\n```yaml\nenvironment:\n # Legacy (remove these):\n # - WORKSPACE_ID=\n # - WORKSPACE_KEY=\n\n # New CCF Push Connector configuration:\n - DCE_ENDPOINT=\n - DCR_IMMUTABLE_ID=\n - DCR_STREAM_NAME=Custom-FortyTwoCrunchAPIProtectionV2_CL\n\n # 42Crunch platform credentials (unchanged):\n - 42C_FIREWALL_TOKEN=\n - 42C_PLATFORM_URL=\n```""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""The DCE endpoint URL and DCR immutable ID are displayed after deploying the ARM resources in Step 1. For full configuration details, refer to the [42Crunch Microsoft Sentinel Integration](https://github.com/42Crunch/azure-sentinel-integration) documentation.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Important: Connection Status\n\nThis is a **push-based connector** - it receives data from the 42Crunch Log Forwarder and does not maintain an active polling connection. The connector shows as **Connected** when data has been received within the last 7 days.""}}]}, {""title"": ""Uninstall connector"", ""description"": ""Use this PowerShell script to delete the connector instance."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### Delete the Connector Instance""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""Run the following PowerShell commands to remove the data connector instance:\n\n```powershell\n$sub = \""\""\n$rg = \""\""\n$ws = \""\""\n$connectorName = \""FortyTwoCrunchAPIProtection\""\n$armEndpoint = (az cloud show --query endpoints.resourceManager -o tsv).TrimEnd('/')\n\nWrite-Host \""Deleting $connectorName...\"" -NoNewline\naz rest --method DELETE --uri \""$armEndpoint/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.OperationalInsights/workspaces/$ws/providers/Microsoft.SecurityInsights/dataConnectors/$connectorName`?api-version=2024-09-01\""\nWrite-Host \"" Done\"" -ForegroundColor Green\n```""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""> NOTE: Replace ``, ``, and `` with your actual Azure values before running the script.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""This removes the push connector instance. Historical data in your Log Analytics workspace will be retained.""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Microsoft.Insights/dataCollectionEndpoints"", ""description"": ""Data Collection Endpoint is required for the modern push connector to receive data from the external security system.""}, {""name"": ""Microsoft.Insights/dataCollectionRules"", ""description"": ""Data Collection Rule is required to define the schema and transformations for incoming data.""}, {""name"": ""Microsoft.Authorization/roleAssignments"", ""description"": ""Role assignment is required to grant the Entra application permissions to send data to the Data Collection Rule.""}, {""name"": ""42Crunch API Firewall requirement"", ""description"": ""The 42Crunch API Firewall and Log Forwarder Docker containers must be deployed and running. Obtain your API Firewall token (42C_FIREWALL_TOKEN) and platform URL (42C_PLATFORM_URL) from the 42Crunch platform at https://platform.42crunch.com. Full deployment instructions are available at https://github.com/42Crunch/azure-sentinel-integration.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch_CCF/42CrunchAPIProtection.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","42Crunch API Protection","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch_CCF/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch_CCF/PollingConfig.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" +"FortyTwoCrunchAPIProtection","Microsoft Corporation","42Crunch API Protection (Push Connector via Codeless Connector Framework)","Connects the 42Crunch API protection to Microsoft Sentinel via the Azure Monitor DCE/DCR REST API interface. The integration uses Docker containers (API Firewall and Log Forwarder) to forward API traffic logs to Microsoft Sentinel for threat detection and analysis.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""This connector receives data from external security systems that push logs to Microsoft Sentinel. The external system must be configured to send raw event data to the Microsoft Sentinel Ingestion API. Clicking on **Deploy** will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.\n\n[Learn more about the connector setup process](https://review.learn.microsoft.com/azure/sentinel/create-push-codeless-connector)"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""## Azure Resource Deployment\n\nThe deployment process will create the following resources:\n- Log Analytics custom table(s)\n- Data Collection Endpoint (DCE)\n- Data Collection Rule (DCR)\n- Entra ID Application Registration\n- Role assignments for data ingestion""}}, {""type"": ""DeployPushConnectorButton"", ""parameters"": {""label"": ""Deploy 42Crunch API Protection connector resources"", ""applicationDisplayName"": ""42Crunch API Protection (Push Connector via Codeless Connector Framework)""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Configuration Values\n\nAfter deployment, copy the following values to configure your external security system:""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""TenantId""], ""label"": ""Tenant ID (Directory ID)"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""ApplicationId""], ""label"": ""Entra App Registration Application ID"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""ApplicationSecret""], ""label"": ""Entra App Registration Secret"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""DataCollectionEndpoint""], ""label"": ""Data Collection Endpoint Url"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""DataCollectionRuleId""], ""label"": ""Data Collection Rule Immutable ID"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [], ""label"": ""Stream Name (FortyTwoCrunchAPIProtectionV2)"", ""value"": ""Custom-FortyTwoCrunchAPIProtectionV2_CL""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Keep these values secure. You will need them to configure your external security system."", ""visible"": true, ""inline"": true}}]}, {""title"": ""2. Configure your external system to push logs"", ""description"": ""Use the following parameters to configure your external security system to send logs to the workspace.\n\n### Configuration Steps\n\n1. Access your external security system's configuration interface.\n2. Navigate to the data forwarding, integration, or SIEM settings.\n3. Select **Azure Monitor** or **Microsoft Sentinel** as the destination.\n4. Select **Data Collection Endpoint** as the authentication method.\n5. Configure the required fields using the values from the previous step:\n - **Tenant ID**: Copy from above\n - **Application (Client) ID**: Copy from above\n - **Client Secret**: Copy from above\n - **Data Collection Endpoint**: Copy from above\n - **Data Collection Rule Immutable ID**: Copy from above\n - **Stream Name**: Copy the appropriate stream name from above\n6. Save the configuration and enable/start the forwarder.\n\n### Validation\n\n> **Note**: Data will appear in the **FortyTwoCrunchAPIProtectionV2** table in your Log Analytics workspace within a few minutes.\n\nTo verify data is being received, run the following query in your Log Analytics workspace:\n\n```kusto\nFortyTwoCrunchAPIProtectionV2\n| where TimeGenerated > ago(1h)\n| take 10\n```\n\n### Troubleshooting\n\nIf data is not appearing:\n- Verify the configuration values are correct\n- Check that the forwarder/integration is enabled and running\n- Review logs in your external security system for any errors\n- Ensure network connectivity from your system to Azure\n- Verify the Entra application has the correct permissions"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""After deploying the Azure resources, configure the **42Crunch Log Forwarder** Docker container to send data to the deployed DCE/DCR endpoints instead of the legacy HTTP Data Collector API.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Update Docker Compose / Helm Chart Environment Variables\n\nReplace the legacy `WORKSPACE_ID` and `WORKSPACE_KEY` environment variables with the new DCE/DCR configuration:\n\n```yaml\nenvironment:\n # Legacy (remove these):\n # - WORKSPACE_ID=\n # - WORKSPACE_KEY=\n\n # New CCF Push Connector configuration:\n - DCE_ENDPOINT=\n - DCR_IMMUTABLE_ID=\n - DCR_STREAM_NAME=Custom-FortyTwoCrunchAPIProtectionV2_CL\n\n # 42Crunch platform credentials (unchanged):\n - 42C_FIREWALL_TOKEN=\n - 42C_PLATFORM_URL=\n```""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""The DCE endpoint URL and DCR immutable ID are displayed after deploying the ARM resources in Step 1. For full configuration details, refer to the [42Crunch Microsoft Sentinel Integration](https://github.com/42Crunch/azure-sentinel-integration) documentation.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Important: Connection Status\n\nThis is a **push-based connector** - it receives data from the 42Crunch Log Forwarder and does not maintain an active polling connection. The connector shows as **Connected** when data has been received within the last 7 days.""}}]}, {""title"": ""Uninstall connector"", ""description"": ""Use this PowerShell script to delete the connector instance."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### Delete the Connector Instance""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""Run the following PowerShell commands to remove the data connector instance:\n\n```powershell\n$sub = \""\""\n$rg = \""\""\n$ws = \""\""\n$connectorName = \""FortyTwoCrunchAPIProtection\""\n$armEndpoint = (az cloud show --query endpoints.resourceManager -o tsv).TrimEnd('/')\n\nWrite-Host \""Deleting $connectorName...\"" -NoNewline\naz rest --method DELETE --uri \""$armEndpoint/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.OperationalInsights/workspaces/$ws/providers/Microsoft.SecurityInsights/dataConnectors/$connectorName`?api-version=2024-09-01\""\nWrite-Host \"" Done\"" -ForegroundColor Green\n```""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""> NOTE: Replace ``, ``, and `` with your actual Azure values before running the script.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""This removes the push connector instance. Historical data in your Log Analytics workspace will be retained.""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Microsoft.Insights/dataCollectionEndpoints"", ""description"": ""Data Collection Endpoint is required for the modern push connector to receive data from the external security system.""}, {""name"": ""Microsoft.Insights/dataCollectionRules"", ""description"": ""Data Collection Rule is required to define the schema and transformations for incoming data.""}, {""name"": ""Microsoft.Authorization/roleAssignments"", ""description"": ""Role assignment is required to grant the Entra application permissions to send data to the Data Collection Rule.""}, {""name"": ""42Crunch API Firewall requirement"", ""description"": ""The 42Crunch API Firewall and Log Forwarder Docker containers must be deployed and running. Obtain your API Firewall token (42C_FIREWALL_TOKEN) and platform URL (42C_PLATFORM_URL) from the 42Crunch platform at https://platform.42crunch.com. Full deployment instructions are available at https://github.com/42Crunch/azure-sentinel-integration.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch_CCF/42CrunchAPIProtection.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","42Crunch API Protection","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch_CCF/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection/Data%20Connectors/42Crunch_CCF/PollingConfig.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" "GCPAuditLogsDefinition","Microsoft","GCP Pub/Sub Audit Logs","The Google Cloud Platform (GCP) audit logs, ingested from Microsoft Sentinel's connector, enables you to capture three types of audit logs: admin activity logs, data access logs, and access transparency logs. Google cloud audit logs record a trail that practitioners can use to monitor access and detect potential threats across Google Cloud Platform (GCP) resources.","[{""instructions"": [{""type"": ""MarkdownControlEnvBased"", ""parameters"": {""prodScript"": ""#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)."", ""govScript"": ""#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Gov Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov).""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment."", ""fillWith"": [""TenantId""], ""name"": ""TenantId"", ""disabled"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Connect new collectors \n To enable GCP Audit Logs for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect.""}}, {""type"": ""GCPGrid"", ""parameters"": {}}, {""type"": ""GCPContextPane"", ""parameters"": {}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/Data%20Connectors/GCPAuditLogs_ccp/data_connector_definition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Google Cloud Platform Audit Logs","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/Data%20Connectors/GCPAuditLogs_ccp/dcr.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20Audit%20Logs/Data%20Connectors/GCPAuditLogs_ccp/data_connector_poller.json","GCP","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#gcp-pubsub-audit-logs" "GCPCDNLogsCCPDefinition","Microsoft","Google Cloud Platform CDN (via Codeless Connector Framework)","The Google Cloud Platform CDN data connector provides the capability to ingest Cloud CDN Audit logs and Cloud CDN Traffic logs into Microsoft Sentinel using the Compute Engine API. Refer the [Product overview](https://cloud.google.com/cdn/docs/overview) document for more details.","[{""instructions"": [{""type"": ""MarkdownControlEnvBased"", ""parameters"": {""prodScript"": ""#### 1. Setup the GCP environment \n Ensure to have the following resources from the GCP Console:\n Project ID, Project Name, GCP Subscription name for the project, Workload Identity Pool ID, Workspace Identity Provider ID, and a Service Account to establish the connection.\n For more information, refer the [Connector tutorial](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformCDN/Data%20Connectors/README.md) for log setup and authentication setup tutorial.\n\n Find the Log set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPCDNLogsSetup)\n & the Authentication set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup)"", ""govScript"": ""#### 1. Setup the GCP environment \n Ensure to have the following resources from the GCP Console:\n Project ID, Project Name, GCP Subscription name for the project, Workload Identity Pool ID, Workspace Identity Provider ID, and a Service Account to establish the connection.\n For more information, refer the [Connector tutorial](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformCDN/Data%20Connectors/README.md) for log setup and authentication setup tutorial.\n\n Find the Log set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov/GCPCDNLogsSetup)\n & the Authentication set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov/GCPInitialAuthenticationSetupGov)""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment."", ""fillWith"": [""TenantId""], ""name"": ""TenantId"", ""disabled"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Enable CDN logs \n In the Google Cloud Console, enable cloud logging if not enabled previously, and save the changes. Navigate to Cloud CDN section and click on Add origin to create backends as per link provided below. \n\n Reference Link: [Link to documentation](https://cloud.google.com/cdn/docs/using-cdn)""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Connect new collectors \n To enable GCP Cloud CDN Logs for Microsoft Sentinel, click on Add new collector button, provide the required information in the pop up and click on Connect.""}}, {""type"": ""GCPGrid"", ""parameters"": {}}, {""type"": ""GCPContextPane"", ""parameters"": {}}], ""title"": ""Connect GCP CDN to Microsoft Sentinel\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformCDN/Data%20Connectors/GCPCDNLogs_ccp/GCPCDNLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","GoogleCloudPlatformCDN","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformCDN/Data%20Connectors/GCPCDNLogs_ccp/GCPCDNLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformCDN/Data%20Connectors/GCPCDNLogs_ccp/GCPCDNLogs_PollingConfig.json","GCP","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-cdn-via-codeless-connector-framework" "GCPCLOUDIDSLogsCCPDefinition","Microsoft","Google Cloud Platform Cloud IDS (via Codeless Connector Framework)","The Google Cloud Platform IDS data connector provides the capability to ingest Cloud IDS Traffic logs, Threat logs and Audit logs into Microsoft Sentinel using the Google Cloud IDS API. Refer to [Cloud IDS API](https://cloud.google.com/intrusion-detection-system/docs/audit-logging#google.cloud.ids.v1.IDS) documentation for more information.","[{""instructions"": [{""type"": ""MarkdownControlEnvBased"", ""parameters"": {""prodScript"": ""#### 1. Setup the GCP environment \n Ensure to have the following resources from the GCP Console:\n Project ID, Project Name, GCP Subscription name for the project, Workload Identity Pool ID, Workspace Identity Provider ID, and a Service Account to establish the connection.\n For more information, refer the [Connector tutorial](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIDS/Data%20Connectors/README.md) for log setup and authentication setup tutorial.\n\n Find the Log set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPCloudIDSLogSetup)\n & the Authentication set up script: [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup)"", ""govScript"": ""#### 1. Setup the GCP environment \n Ensure to have the following resources from the GCP Console:\n Project ID, Project Name, GCP Subscription name for the project, Workload Identity Pool ID, Workspace Identity Provider ID, and a Service Account to establish the connection.\n For more information, refer the [Connector tutorial](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIDS/Data%20Connectors/README.md) for log setup and authentication setup tutorial.\n\n Find the Log set up script: [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov/GCPCloudIDSLogSetup)\n & the Authentication set up script: [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov/GCPInitialAuthenticationSetupGov)""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment."", ""fillWith"": [""TenantId""], ""name"": ""TenantId"", ""disabled"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Enable IDS logs \n In the Google Cloud Console, enable Cloud IDS API, if not enabled previously. Create an IDS Endpoint and save the changes.\n\nFor more information on how to create and configure an IDS endpoint: [Link to documentation](https://cloud.google.com/intrusion-detection-system/docs/configuring-ids)""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Connect new collectors \n To enable GCP IDS Logs for Microsoft Sentinel, click on Add new collector button, provide the required information in the pop up and click on Connect.""}}, {""type"": ""GCPGrid"", ""parameters"": {}}, {""type"": ""GCPContextPane"", ""parameters"": {}}], ""title"": ""Connect GCP Cloud IDS to Microsoft Sentinel\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIDS/Data%20Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","GoogleCloudPlatformIDS","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIDS/Data%20Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformIDS/Data%20Connectors/GCPCloudIDSLog_CCP/GCPCloudIDSLog_PollingConfig.json","GCP","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-cloud-ids-via-codeless-connector-framework" @@ -281,6 +284,7 @@ "GCPResourceManagerLogsCCFDefinition","Microsoft","Google Cloud Platform Resource Manager (via Codeless Connector Framework)","The Google Cloud Platform Resource Manager data connector provides the capability to ingest Resource Manager [Admin Activity and Data Access Audit logs](https://cloud.google.com/resource-manager/docs/audit-logging) into Microsoft Sentinel using the Cloud Resource Manager API. Refer the [Product overview](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) document for more details.","[{""instructions"": [{""type"": ""MarkdownControlEnvBased"", ""parameters"": {""prodScript"": ""#### 1. Setup the GCP environment \n Ensure to have the following resources from the GCP Console:\n Project ID, Project Name, GCP Subscription name for the project, Workload Identity Pool ID, Workspace Identity Provider ID, and a Service Account to establish the connection.\n For more information, refer the [Connector tutorial](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/GoogleCloudPlatformResourceManager/Data%20Connectors/README.md) for log setup and authentication setup tutorial.\n\n Find the Log set up script [**here**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPResourceManagerLogsSetup/GCPResourceManagerLogSetup.tf)\n & the Authentication set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPInitialAuthenticationSetup)"", ""govScript"": ""#### 1. Setup the GCP environment \n Ensure to have the following resources from the GCP Console:\n Project ID, Project Name, GCP Subscription name for the project, Workload Identity Pool ID, Workspace Identity Provider ID, and a Service Account to establish the connection.\n For more information, refer the [Connector tutorial](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/GoogleCloudPlatformResourceManager/Data%20Connectors/README.md) for log setup and authentication setup tutorial.\n\n Find the Log set up script [**here**](https://raw.githubusercontent.com/Azure/Azure-Sentinel/c1cb589dad1add228f78e629073a9b069ce52991/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov/GCPResourceManagerLogsSetup/GCPResourceManagerLogSetup.tf)\n & the Authentication set up script [**here**](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation_gov/GCPInitialAuthenticationSetupGov)""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment."", ""fillWith"": [""TenantId""], ""name"": ""TenantId"", ""disabled"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Enable Resource Manager logs \n In the Google Cloud Console, enable cloud resource manager API if not enabled previously, and save the changes. Make sure to have organization level IAM permissions for your account to see all logs in the resource hierarchy. You can refer the document links for different IAM permissions for access control with IAM at each level provided in this [link](https://cloud.google.com/resource-manager/docs/how-to)""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Connect new collectors \n To enable GCP Resource Manager Logs for Microsoft Sentinel, click on Add new collector button, provide the required information in the pop up and click on Connect.""}}, {""type"": ""GCPGrid"", ""parameters"": {}}, {""type"": ""GCPContextPane"", ""parameters"": {}}], ""title"": ""Connect GCP Resource Manager to Microsoft Sentinel\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformResourceManager/Data%20Connectors/GCPResourceManagerAuditLogs_ccf/GCPResourceManagerAuditLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","GoogleCloudPlatformResourceManager","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformResourceManager/Data%20Connectors/GCPResourceManagerAuditLogs_ccf/GCPResourceManagerAuditLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleCloudPlatformResourceManager/Data%20Connectors/GCPResourceManagerAuditLogs_ccf/GCPResourceManagerAuditLogs_PollingConfig.json","GCP","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#google-cloud-platform-resource-manager-via-codeless-connector-framework" "GCPVPCFlowLogsCCPDefinition","Microsoft","GCP Pub/Sub VPC Flow Logs (via Codeless Connector Framework)","The Google Cloud Platform (GCP) VPC Flow Logs enable you to capture network traffic activity at the VPC level, allowing you to monitor access patterns, analyze network performance, and detect potential threats across GCP resources.","[{""instructions"": [{""type"": ""MarkdownControlEnvBased"", ""parameters"": {""prodScript"": ""#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription. \n To configure this data connector, execute the following Terraform scripts:\n 1. Setup Required Resources: [Configuration Guide](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md)\n 2. Setup Authentication: [Authentication tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). Note: If Authentication is already setup using another GCP data connector , kindly skip this step and use the existing service account and workload identity pool."", ""govScript"": ""#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription. \n To configure this data connector, execute the following Terraform scripts:\n 1. Setup Required Resources: [Configuration Guide]https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GCPVPCFlowLogsSetup/readme.md)\n 2. Setup Authentication: [Authentication tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). Note: If Authentication is already setup using another GCP data connector , kindly skip this step and use the existing service account and workload identity pool.""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment."", ""fillWith"": [""TenantId""], ""name"": ""TenantId"", ""disabled"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Enable VPC Flow Logs \nIn your GCP account, navigate to the VPC network section. Select the subnet you want to monitor and enable Flow Logs under the Logging section.\n\nFor more information: [Google Cloud Documentation](https://cloud.google.com/vpc/docs/using-flow-logs)""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Connect new collectors \n To enable GCP VPC Flow Logs for Microsoft Sentinel, click the Add new collector button, fill in the required information in the context pane, and click Connect.""}}, {""type"": ""GCPGrid"", ""parameters"": {}}, {""type"": ""GCPContextPane"", ""parameters"": {}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20VPC%20Flow%20Logs/Data%20Connectors/GCPVPCFlowLogs_GCP_CCP/GCPVPCFlowLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Google Cloud Platform VPC Flow Logs","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20VPC%20Flow%20Logs/Data%20Connectors/GCPVPCFlowLogs_GCP_CCP/GCPVPCFlowLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Cloud%20Platform%20VPC%20Flow%20Logs/Data%20Connectors/GCPVPCFlowLogs_GCP_CCP/GCPVPCFlowLogs_PollingConfig.json","GCP","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#gcp-pubsub-vpc-flow-logs-via-codeless-connector-framework" "GKECCPDefinition","Microsoft","Google Kubernetes Engine (via Codeless Connector Framework)","The Google Kubernetes Engine (GKE) Logs enable you to capture cluster activity, workload behavior, and security events, allowing you to monitor Kubernetes workloads, analyze performance, and detect potential threats across GKE clusters.","[{""instructions"": [{""type"": ""MarkdownControlEnvBased"", ""parameters"": {""prodScript"": ""#### Please reference [Ingest Google Cloud Platform log data into Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) \n1. Set up your GCP environment \nYou must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription.\n\nTo configure this data connector, execute the following Terraform scripts:\n\n1. Setup Authentication: [Authentication tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). Note: If Authentication is already setup using another GCP data connector, kindly skip this step and use the existing service account and workload identity pool.\n2. Setup Required Resources: [Configuration Guide](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GoogleKubernetesEngineLogsSetup/readme.md)"", ""govScript"": ""#### Please reference [Ingest Google Cloud Platform log data into Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs) \n1. Set up your GCP environment \nYou must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription.\n\nTo configure this data connector, execute the following Terraform scripts:\n\n1. Setup Authentication: [Authentication tutorial](https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform?tabs=terraform%2Cauditlogs#gcp-authentication-setup). Note: If Authentication is already setup using another GCP data connector, kindly skip this step and use the existing service account and workload identity pool.\n2. Setup Required Resources: [Configuration Guide](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/GCP/Terraform/sentinel_resources_creation/GoogleKubernetesEngineLogsSetup/readme.md)""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment."", ""fillWith"": [""TenantId""], ""name"": ""TenantId"", ""disabled"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Enable Kubernetes Engine Logging \nIn your GCP account, navigate to the Kubernetes Engine section. Enable Cloud Logging for your clusters. Within Cloud Logging, ensure that the specific logs you want to ingest\u2014such as API server, scheduler, controller manager, HPA decision, and application logs\u2014are enabled for effective monitoring and security analysis.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Connect new collectors \nTo enable GKE Logs for Microsoft Sentinel, click the **Add new collector** button, fill in the required information in the context pane, and click **Connect**.""}}, {""type"": ""GCPGrid"", ""parameters"": {""collectors"": [{""name"": ""Audit Collector"", ""tableName"": ""GKEAudit""}, {""name"": ""API Server Collector"", ""tableName"": ""GKEAPIServer""}, {""name"": ""Scheduler Collector"", ""tableName"": ""GKEScheduler""}, {""name"": ""Controller Manager Collector"", ""tableName"": ""GKEControllerManager""}, {""name"": ""HPA Decision Collector"", ""tableName"": ""GKEHPADecision""}, {""name"": ""Application Collector"", ""tableName"": ""GKEApplication""}]}}, {""type"": ""GCPContextPane"", ""parameters"": {}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Kubernetes%20Engine/Data%20Connectors/GoogleKubernetesEngineLogs_ccp/GoogleKubernetesEngineLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Google Kubernetes Engine","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Kubernetes%20Engine/Data%20Connectors/GoogleKubernetesEngineLogs_ccp/GoogleKubernetesEngineLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Google%20Kubernetes%20Engine/Data%20Connectors/GoogleKubernetesEngineLogs_ccp/GoogleKubernetesEngineLogs_PollingConfig.json","GCP","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#google-kubernetes-engine-via-codeless-connector-framework" +"GSDetectionAlerts","Google","Google SecOps Detection Alerts","The [Google SecOps](https://cloud.google.com/security/products/security-operations) (formerly Chronicle) data connector provides the capability to ingest detection alerts from Google SecOps into Microsoft Sentinel using the [legacyStreamDetectionAlerts](https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.legacy/legacyStreamDetectionAlerts) API. Refer to [API documentation](https://cloud.google.com/chronicle/docs/reference/rest) for more information. The connector provides the ability to get detection alert data which helps to examine potential security threats, investigate rule-based detections, and respond to incidents identified by Google SecOps.","[{""title"": """", ""description"": "">**NOTE:** This connector uses two Azure Functions to connect to the Google SecOps API:\n- **GoogleSecOpsToStorage**: Polls the Google SecOps API on a configurable schedule and saves raw detection batches to Azure File Share.\n- **AzureStorageToSentinel**: Monitors the file share and ingests saved detections into Microsoft Sentinel via the Logs Ingestion API (DCR).\n\n>**NOTE:** This connector uses Azure Functions and Azure Storage, which may result in additional data ingestion and operational costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for Google SecOps Service Account**\n\n1. Sign in to the [Google Cloud Console](https://console.cloud.google.com/) and select the **project** associated with your Google SecOps instance.\n2. From the project selector at the top, note the **Project ID** \u2014 this is the **GoogleSecopsProjectId** parameter.\n3. Navigate to **IAM & Admin > Service Accounts** and click **Create Service Account**.\n4. Enter a name (e.g., `secops-sentinel-sa`) and click **Create and Continue**.\n5. Assign a role that includes the permission: `chronicle.legacies.legacyStreamDetectionAlerts`.\n6. Click **Done**, then click the newly created service account from the list.\n7. Go to the **Keys** tab, click **Add Key > Create new key**, select **JSON**, and click **Create**. Save the downloaded file.\n8. The full text content of the downloaded JSON file is the **GoogleSecopsServiceAccountJson** parameter.\n\n> To find **GoogleSecopsRegion** and **GoogleSecopsInstanceId**: sign in to the [Google SecOps console](https://chronicle.security), go to **Settings > SIEM Settings**, and note the **Region** and **Instance ID** values displayed there.""}, {""title"": """", ""description"": ""**STEP 2 - App Registration steps for the Application in Microsoft Entra ID**\n\nThis integration requires an App registration in the Azure portal. Follow the steps below to create a new application in Microsoft Entra ID:\n1. Sign in to the [Azure portal](https://portal.azure.com/).\n2. Search for and select **Microsoft Entra ID**.\n3. Under **Manage**, select **App registrations > New registration**.\n4. Enter a display **Name** for your application (e.g., `gcs-detection-alerts-app`).\n5. Select **Register** to complete the initial app registration.\n6. When registration finishes, the Azure portal displays the app registration's **Overview** pane. Note the **Application (client) ID** \u2014 this is the **AzureClientId** parameter. Note the **Directory (tenant) ID** \u2014 this is the **TenantId** parameter.\n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)""}, {""title"": """", ""description"": ""**STEP 3 - Add a client secret for the application in Microsoft Entra ID**\n\nSometimes called an application password, a client secret is a string value required by this data connector. Follow the steps below to create a new Client Secret:\n1. In the Azure portal, in **App registrations**, select your application.\n2. Select **Certificates & secrets > Client secrets > New client secret**.\n3. Add a description for your client secret.\n4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n5. Select **Add**.\n6. *Record the secret's **Value** for use as the **AzureClientSecret** parameter. This secret value is never displayed again after you leave this page.*\n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)""}, {""title"": """", ""description"": ""**STEP 4 - Get Object ID of your application in Microsoft Entra ID**\n\nAfter creating your app registration, follow the steps below to get the Object ID required for the DCR role assignment:\n1. Go to **Microsoft Entra ID**.\n2. Select **Enterprise applications** from the left menu.\n3. Search for and click your newly created application.\n4. On the **Overview** page, copy the **Object ID** \u2014 this is the **AzureEntraObjectID** parameter.""}, {""title"": """", ""description"": ""**STEP 5 - Get Log Analytics Workspace details**\n\n1. In the Azure portal, navigate to your **Log Analytics workspace**.\n2. On the **Overview** page, copy the **Name** of the workspace \u2014 this is the **WorkspaceName** parameter.\n3. From the left menu, go to **Settings > Properties**.\n4. Copy the **Resource ID** value \u2014 this is the **AppInsightsWorkspaceResourceID** parameter. It follows the format:\n `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}`""}, {""title"": ""Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Google SecOps Detection Alerts connector.\n\n1. Click the **Deploy to Azure** button below.\n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GoogleSecOpsDetectionAlerts-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-GoogleSecOpsDetectionAlerts-azuredeploy-gov)\n\n2. Select the preferred **Subscription**, **Resource Group**, and **Location**.\n\n3. Enter the below information in the deployment form:\n\n\t a. **DetectionAlertsTableName** - Custom Log Analytics table name to store detection alerts. Default: `DetectionAlerts`. (_Note: `_CL` suffix is appended automatically._)\n\n\t b. **GoogleSecopsProjectId** - Google Cloud project ID hosting the Google SecOps instance. Obtained in Step 1.\n\n\t c. **GoogleSecopsRegion** - Google SecOps instance region. Select from the dropdown list of supported regions. Obtained in Step 1.\n\n\t d. **GoogleSecopsInstanceId** - Google SecOps instance ID. Obtained in Step 1.\n\n\t e. **GoogleSecopsServiceAccountJson** - Full JSON content of the downloaded Google Cloud service account key file. Obtained in Step 1.\n\n\t f. **GoogleOAuthScope** - Google OAuth scope for service account authentication. Default: `https://www.googleapis.com/auth/cloud-platform`. Keep the default unless your organization requires a different scope.\n\n\t g. **FunctionName** - Prefix for the Azure Function App name (1-11 characters). Default: `GSDAlerts`.\n\n\t h. **LookbackDays** - Number of days to look back for the initial data pull (range: 1-7, default: 1). Subsequent runs automatically resume from the saved checkpoint.\n\n\t i. **FetchSchedule** - CRON expression controlling how often the connector polls the Google SecOps API. Default: `0 */10 * * * *` (every 10 minutes).\n\n\t j. **IngestSchedule** - CRON expression controlling how often saved detections are ingested into Sentinel. Default: `0 2/10 * * * *` (every 10 minutes, offset by 2 minutes).\n\n\t k. **LogLevel** - Application log verbosity. Allowed values: `DEBUG`, `INFO`, `WARNING`, `ERROR`. Default: `INFO`.\n\n\t l. **TenantId** - Directory (tenant) ID of your Microsoft Entra ID. Obtained in Step 2.\n\n\t m. **AzureClientId** - Application (client) ID of the registered app. Obtained in Step 2.\n\n\t n. **AzureClientSecret** - Client secret value of the registered app. Obtained in Step 3.\n\n\t o. **AzureEntraObjectID** - Object ID of the registered app from Enterprise Applications. Obtained in Step 4.\n\n\t p. **WorkspaceName** - Name of your Log Analytics workspace. Obtained in Step 5.\n\n\t q. **AppInsightsWorkspaceResourceID** - Full resource ID of your Log Analytics workspace. Obtained in Step 5.\n\n\t r. **Location** - Azure region for deploying data collection rules and endpoints. Defaults to the resource group location.\n\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n\n5. Click **Review + Create** and then **Create** to deploy.""}, {""title"": """", ""description"": ""**STEP 7 - Verify Data Ingestion**\n\n1. After deployment completes (10-20 minutes), navigate to your Log Analytics workspace.\n2. Run the following query to verify data is arriving:\n\n\t```kusto\n\tDetectionAlerts_CL\n\t| where TimeGenerated > ago(1h)\n\t| summarize Count=count()\n\t```""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Microsoft.Insights/dataCollectionRules permissions"", ""description"": ""Write permissions to Data Collection Rules are required.""}, {""name"": ""Microsoft.Insights/dataCollectionEndpoints permissions"", ""description"": ""Write permissions to Data Collection Endpoints are required.""}, {""name"": ""Microsoft.Storage/storageAccounts permissions"", ""description"": ""Read and write permissions to Azure Storage Account for File Share operations are required.""}, {""name"": ""Microsoft Entra ID App Registration"", ""description"": ""An app registration with API permissions for Azure Monitor Ingestion is required for posting data to Sentinel.""}, {""name"": ""Google Cloud Service Account"", ""description"": ""A Google Cloud service account with SecOps API access is required. The service account JSON key must be provided during deployment. [See the documentation to learn more about Google SecOps API access](https://cloud.google.com/chronicle/docs/reference/rest).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps/Data%20Connectors/GoogleSecOpsDetectionAlerts/GoogleSecOpsDetectionAlerts_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","GoogleSecOps","false","","false","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","" "GarrisonULTRARemoteLogs","Garrison","Garrison ULTRA Remote Logs","The [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) Remote Logs connector allows you to ingest Garrison ULTRA Remote Logs into Microsoft Sentinel.","[{""title"": ""Deployment - Azure Resource Manager (ARM) Template"", ""description"": ""These steps outline the automated deployment of the Garrison ULTRA Remote Logs data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Frefs%2Fheads%2Fmaster%2FSolutions%2FGarrison%2520ULTRA%2FData%2520Connectors%2FGarrisonULTRARemoteLogs%2Fazuredeploy_DataCollectionResources.json) \t\t\t\n2. Provide the required details such as Resource Group, Microsoft Sentinel Workspace and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of these resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Garrison ULTRA"", ""description"": ""To use this data connector you must have an active [Garrison ULTRA](https://www.garrison.com/en/garrison-ultra-cloud-platform) license.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Garrison%20ULTRA/Data%20Connectors/GarrisonULTRARemoteLogs/GarrisonULTRARemoteLogs_ConnectorUI.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Garrison ULTRA","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#garrison-ultra-remote-logs-using-azure-functions" "GigamonDefinition","GigamonDefinition","Gigamon AMX Connector","The Gigamon connector provides the capability to read raw event data from Gigamon in Microsoft Sentinel.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""This connector reads data from the tables that Gigamon CCF uses in a Microsoft Analytics Workspace, if the data forwarding option is enabled in Gigamon CCF then raw event data is sent to the Microsoft Sentinel Ingestion API."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \""Deploy\"" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.""}}, {""parameters"": {""label"": ""Deploy Gigamon CCF connector resources"", ""applicationDisplayName"": ""Gigamon CCF Connector Application""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Push your logs into the workspace"", ""description"": ""Use the following parameters to configure the your machine to send the logs to the workspace."", ""instructions"": [{""parameters"": {""label"": ""Tenant ID (Directory ID)"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the App Registration Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the App Registration Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint Uri"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the Data Collection Endpoint Uri""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the Data Collection Rule Immutable ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Activity Stream Name"", ""value"": ""Custom-GigamonV2_CL""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Threat Stream Name"", ""value"": ""Custom-GigamonV2_CL""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Gigamon%20Connector/Data%20Connectors/Gigamon_CCF/Gigamon_ConnectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Gigamon Connector","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Gigamon%20Connector/Data%20Connectors/Gigamon_CCF/Gigamon_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Gigamon%20Connector/Data%20Connectors/Gigamon_CCF/Gigamon_dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#gigamon-amx-connector" "GitHubAuditBlobConnector","Microsoft","GitHub Enterprise Audit Log (via Azure Storage)","The GitHub audit log connector ingests GitHub Enterprise audit logs into Microsoft Sentinel from Azure Blob Storage with near real-time latency. GitHub streams audit logs to Blob Storage in near real time, and the connector polls the Azure Storage Queue for new blob-created notifications every 5 minutes (default polling interval). By connecting GitHub audit logs to Microsoft Sentinel, you can view this data in workbooks, create custom alerts, and improve your investigation process.","[{""title"": ""Connect GitHub Audit Logs to Microsoft Sentinel"", ""description"": ""To enable the GitHub Audit Log ingestion from Azure Blob Storage, provide the required information below and click on Connect.\n>"", ""instructions"": [{""type"": ""ServicePrincipalIDTextBox_test"", ""parameters"": {""name"": ""principalId"", ""tenantId"": ""[subscription().tenantId]"", ""appId"": ""4f05ce56-95b6-4612-9d98-a45c8cc33f9f""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""The blob container URL you want to collect data from"", ""placeholder"": """", ""type"": ""text"", ""name"": ""blobContainerUri""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""The blob folder name in the container. Optional."", ""placeholder"": """", ""type"": ""text"", ""name"": ""blobFolderName""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""The blob container's storage account location"", ""placeholder"": ""eastus"", ""type"": ""text"", ""name"": ""StorageAccountLocation""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""The blob container's storage account resource group name"", ""placeholder"": ""my-resource-group"", ""type"": ""text"", ""name"": ""StorageAccountResourceGroupName""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""The blob container's storage account subscription id"", ""placeholder"": """", ""type"": ""text"", ""name"": ""StorageAccountSubscription""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""The Event Grid system topic name for the storage account, if one exists; otherwise, leave empty."", ""placeholder"": """", ""type"": ""text"", ""name"": ""EGSystemTopicName"", ""description"": ""The data flow uses Event Grid to send blob-created event notifications. There can be only one Event Grid system topic per storage account.\nNavigate to your storage account and check the **Events** section. If a topic already exists, provide its name. Otherwise, leave this field empty.""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""toggle""}}]}, {""title"": ""Blob Lifecycle Policy (Recommended)"", ""description"": ""To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one."", ""instructions"": []}, {""title"": ""Reference"", ""description"": ""For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector)."", ""instructions"": []}, {""title"": ""Troubleshooting"", ""description"": ""If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main)."", ""instructions"": []}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Microsoft Entra ID - Admin Consent (one-time per tenant)"", ""description"": ""The connector uses Microsoft's **ScubaSentinelToStorageProd** enterprise application to access your storage account. If this app has not been previously consented to in your tenant, a user with one of the following roles must click **'Grant tenant-wide admin consent'** on the connector page before proceeding:\n- **Cloud Application Administrator** *(minimum required role)*\n- **Application Administrator**\n- **Global Administrator**\n\n> **Note:** This is a one-time action per tenant. If the service principal already exists (i.e., another connector using ScubaSentinelToStorageProd was previously configured in this tenant), the service principal ID will be auto-populated and no action is needed.""}, {""name"": ""Subscription permissions"", ""description"": ""You need the following permissions to deploy the connector's data flow resources:\n- **Contributor** role on the subscription or resource group - to deploy Event Grid, storage queues, DCR, and related connector resources.\n- **Owner** or **User Access Administrator** role on the Storage Account - to assign RBAC roles to the Microsoft Sentinel service principal.\n- **Owner** or **Event Grid Contributor** role on the Storage Account - to create Event Grid system topics and event subscriptions.\n\n> **Note:** The `Microsoft.EventGrid` resource provider must be [registered](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types) in the subscription containing the storage account.""}, {""name"": ""Storage Account Requirements"", ""description"": ""The Azure Blob Storage account must meet the following requirements:\n- **Azure Data Lake Storage Gen2 (hierarchical namespace enabled)** - standard storage accounts are not supported.\n- A blob container already configured to receive GitHub Enterprise audit log streaming.""}, {""name"": ""Storage Account Network Configuration"", ""description"": ""IP-based network rules (selected networks / IPv4 CIDR) are **not supported** for this connector due to [Azure Storage firewall restrictions and limitations](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-limitations):\n- IP network rules have **no effect** on requests originating from the same Azure region as the storage account.\n- IP network rules **cannot restrict** access to Azure services deployed in the same region, as these services use private Azure IP addresses for communication.\n- Virtual network service endpoint rules do not apply to clients in a paired region.\n\n**Options:**\n- **No network restrictions needed?** Set the storage account's **Networking** blade to **Enabled from all networks**.\n- **Need to restrict access?** Use [Network Security Perimeter (NSP)](https://learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security) to whitelist Scuba IPv4 addresses. Note: only IPv4 addresses are currently supported for NSP inbound rules; IPv6 is not supported. There is an ongoing effort with the NSP team to support service tags, which will eliminate the need for manual IP management in the future.\n\n**Important:** Do **not** configure network rules based on GitHub IP ranges. GitHub does not provide stable IP ranges as the source of audit log streaming, and those IPs may change without notice.""}, {""name"": ""Storage Account Role Assignments"", ""description"": ""The following Azure RBAC roles must be assigned to the Microsoft Sentinel enterprise application service principal (displayed below) on the **Storage Account** that contains your blob container:\n- **Storage Blob Data Reader** - required for reading blob data from the container.\n- **Storage Queue Data Contributor** - required for managing notification and dead-letter queue messages.\n\nTo assign these roles: navigate to the Storage Account -> **Access Control (IAM)** -> **Add role assignment**, search for the service principal ID shown below, and assign both roles.""}, {""name"": ""Collecting GitHub audit logs to your blob container"", ""description"": ""Follow the steps in the [GitHub documentation](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-azure-blob-storage) to configure audit log streaming to your Azure Blob Storage container.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Data%20Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","GitHub","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Data%20Connectors/GitHubAuditLogs_AzStorage/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Data%20Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json","StorageAccountBlobContainer;ServicePrincipal","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#deprecated-github-enterprise-audit-log" @@ -296,7 +300,7 @@ "GravityZoneDataConnector","Bitdefender","GravityZone Data Connector","This connector enables integration between **Bitdefender GravityZone** and **Microsoft Sentinel** through the **Event Push Service API**. Once configured, it streams all GravityZone event types directly into your Microsoft Sentinel workspace, where they are stored as logs in the `GzSecurityEvents_CL` table.

Key event categories such as **EDR, XDR, ransomware mitigation, network sandboxing, and Exchange malware events** can be automatically correlated and generate incidents through the **NRT GravityZone Incident Alerts** analytics rule.","[{""description"": ""1. Click the **Deploy to Azure** button below and fill in the required parameters. \n\n\t\n\n[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-gravityzone-azuredeploy)\n\n2. Collect the **Logs Ingestion** URL from `gz-sentinel-dce` [Data Collection Endpoint](https://portal.azure.com/#view/HubsExtension/BrowseResource.ReactView/resourceType/microsoft.insights%2Fdatacollectionendpoints)\n\n3. Collect the **Immutable ID** from `gz-sentinel-dcr` [Data Collection Rule](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules)\n\n4. Go to your GravityZone Cloud account and navigate to **My Account**. Create an API key with **Event Push Service** permissions.\n\n5. Configure your **Event Push Service** settings using this article. [Customers](https://www.bitdefender.com/business/support/en/77209-1455218-integrate-gravityzone-with-azure-sentinel.html#UUID-5e8bbfa1-7892[%E2%80%A6]-2427-abd6f930e8c2) | [Partners](https://www.bitdefender.com/business/support/en/77211-1455218-integrate-gravityzone-with-azure-sentinel.html#UUID-5e8bbfa1-7892[%E2%80%A6]-2427-abd6f930e8c2).\n\n**Please note that after the successful deployment of the Data Connector & successful setup of GravityZone's Event Push Service, the system will receive Activity Log data in near-real-time. A short delay may occur between data transmission and its appearance in the Microsoft Sentinel Logs section.**""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.Insights/DataCollectionRules"", ""permissionsDisplayText"": ""read and write permissions to create data collection rules are required."", ""providerDisplayName"": ""Data Collection Rule"", ""scope"": ""ResourceGroup"", ""requiredPermissions"": {""Write"": true, ""Read"": true, ""Delete"": false}}, {""provider"": ""Microsoft.Insights/DataCollectionEndpoints"", ""permissionsDisplayText"": ""read and write permissions to create data collection endpoints are required."", ""providerDisplayName"": ""Data Collection Endpoint"", ""scope"": ""ResourceGroup"", ""requiredPermissions"": {""Write"": true, ""Read"": true, ""Delete"": false}}], ""customs"": [{""name"": ""Azure App Registration"", ""description"": ""Microsoft Entra App Registration with the following details retained Directory (Tenant) ID, Application (Client) ID, Managed Service Principal Object ID (from the Enterprise Applications entry of the app), Client Secret (generated under Certificates & secrets).""}, {""name"": ""GravityZone Cloud Account"", ""description"": ""A GravityZone Cloud account with a generated API key for the Event Push Service endpoint.""}, {""name"": ""Read our guide"", ""description"": ""Follow this step-by-step article to set up the integration. [Customers](https://www.bitdefender.com/business/support/en/77209-1455218-integrate-gravityzone-with-azure-sentinel.html) | [Partners](https://www.bitdefender.com/business/support/en/77211-1455218-integrate-gravityzone-with-azure-sentinel.html)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GravityZone/Data%20Connectors/GravityZone_API.json","","Unknown (Custom Log)","Custom log table - needs analysis","","","","","false","GravityZone","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#gravityzone-data-connector" "GreyNoise2SentinelAPI","GreyNoise, Inc. and BlueCycle LLC","GreyNoise Threat Intelligence","This Data Connector installs an Azure Function app to download GreyNoise indicators once per day and inserts them into the ThreatIntelIndicators table in Microsoft Sentinel.","[{""title"": ""You can connect GreyNoise Threat Intelligence to Microsoft Sentinel by following the below steps: "", ""description"": ""\n> The following steps create an Azure AAD application, retrieves a GreyNoise API key, and saves the values in an Azure Function App Configuration.""}, {""title"": ""1. Retrieve your API Key from GreyNoise Visualizer."", ""description"": ""Generate an API key from GreyNoise Visualizer https://docs.greynoise.io/docs/using-the-greynoise-api""}, {""title"": ""2. In your Azure AD tenant, create an Azure Active Directory (AAD) application and acquire Tenant ID and Client ID. Also, get the Log Analytics Workspace ID associated with your Microsoft Sentinel instance (it should display below)."", ""description"": ""Follow the instructions here to create your Azure AAD app and save your Client ID and Tenant ID: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api#instructions\n NOTE: Wait until step 5 to generate your client secret."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}, {""title"": ""3. Assign the AAD application the Microsoft Sentinel Contributor Role."", ""description"": ""Follow the instructions here to add the Microsoft Sentinel Contributor Role: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api#assign-a-role-to-the-application""}, {""title"": ""4. Specify the AAD permissions to enable MS Graph API access to the upload-indicators API."", ""description"": ""Follow this section here to add **'ThreatIndicators.ReadWrite.OwnedBy'** permission to the AAD App: https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip#specify-the-permissions-required-by-the-application. \n Back in your AAD App, ensure you grant admin consent for the permissions you just added. \n Finally, in the 'Tokens and APIs' section, generate a client secret and save it. You will need it in Step 6. ""}, {""title"": ""5. Deploy the Threat Intelligence (New) Solution, (v3.0.14 or later) which includes the Threat Intelligence Upload Indicators API (Preview)"", ""description"": ""See Microsoft Sentinel Content Hub for this Solution, and install it in the Microsoft Sentinel instance. Note that you do not need to do any configuration in this step.""}, {""title"": ""6. Deploy the Azure Function"", ""description"": ""Click the Deploy to Azure button.\n\n [![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-GreyNoise-azuredeploy)\n\n Fill in the appropriate values for each parameter. **Be aware** that the only valid values for the **GREYNOISE_CLASSIFICATIONS** parameter are **benign**, **malicious** and/or **unknown**, which must be comma-separated.""}, {""title"": ""7. Send indicators to Sentinel"", ""description"": ""The function app installed in Step 6 queries the GreyNoise GNQL API once per day, and submits each indicator found in STIX 2.1 format to the [Microsoft Upload Threat Intelligence Indicators API](https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api). \n Each indicator expires in ~24 hours from creation unless found on the next day's query. In this case the TI Indicator's **Valid Until** time is extended for another 24 hours, which keeps it active in Microsoft Sentinel. \n\n For more information on the GreyNoise API and the GreyNoise Query Language (GNQL), [click here](https://developer.greynoise.io/docs/using-the-greynoise-api).""}]","{""resourceProvider"": [{""provider"": ""Microsoft.SecurityInsights/threatintelligence/write"", ""permissionsDisplayText"": ""write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""GreyNoise API Key"", ""description"": ""Retrieve your GreyNoise API Key [here](https://viz.greynoise.io/account/api-key).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GreyNoiseThreatIntelligence/Data%20Connectors/GreyNoiseConnector_UploadIndicatorsAPI.json","","Azure Function (TI Upload API)","Connector code uses Sentinel TI Upload Indicators API (api.ti.sentinel.azure.com)","","","","ThreatIntelIndicators.SourceSystem == ""GreyNoise""","false","GreyNoiseThreatIntelligence","false","","true","","","","STIX 2.1 Upload Indicators API","Connector code references STIX 2.1 Upload Indicators API endpoint (matched 'api.ti.sentinel.azure.com')","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#greynoise-threat-intelligence" "HVPollingIDAzureFunctions","CTM360","HackerView Intergration","Through the API integration, you have the capability to retrieve all the issues related to your HackerView organizations via a RESTful interface.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to a '' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the 'HackerView' API**\n\nThe provider should provide or link to detailed steps to configure the 'HackerView' API endpoint so that the Azure Function can authenticate to it successfully, get its authorization key or token, and pull the appliance's logs into Microsoft Sentinel.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 'HackerView' connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the 'HackerView' API authorization key(s) readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the 'HackerView' connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CTM360-HV-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CTM360-HV-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API **, 'and/or Other required fields'. \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": """", ""description"": ""**Option 2 - Manual Deployment of Azure Functions**\n\n Use the following step-by-step instructions to deploy the 'HackerView' connector manually with Azure Functions.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the CTM360 CBS data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://raw.githubusercontent.com/CTM360-Integrations/Azure-Sentinel/ctm360-HV-CBS-azurefunctionapp/Solutions/CTM360/Data%20Connectors/HackerView/AzureFunctionCTM360_HV.zip) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CTIXYZ).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCTM360AccountID\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tCTM360Key\n\t\tFUNCTION_NAME\n\t\tlogAnalyticsUri - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTM360/Data%20Connectors/HackerView/CTM360_HV_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","CTM360","false","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" -"HYASProtect","HYAS","HYAS Protect","HYAS Protect provide logs based on reputation values - Blocked, Malicious, Permitted, Suspicious.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the HYAS API to pull Logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the HYAS Protect data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-HYASProtect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Function Name**, **Table Name**, **Workspace ID**, **Workspace Key**, **API Key**, **TimeInterval**, **FetchBlockedDomains**, **FetchMaliciousDomains**, **FetchSuspiciousDomains**, **FetchPermittedDomains** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the HYAS Protect Logs data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-HYASProtect-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. HyasProtectLogsXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAPIKey\n\t\tPolling\n\t\tWorkspaceID\n\t\tWorkspaceKey\n. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**HYAS API Key** is required for making API calls.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS%20Protect/Data%20Connectors/HYASProtect_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","HYAS Protect","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" +"HYASProtect","HYAS","HYAS Protect","HYAS Protect provide logs based on reputation values - Blocked, Malicious, Permitted, Suspicious.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the HYAS API to pull Logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the HYAS Protect data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-HYASProtect-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Function Name**, **Table Name**, **Workspace ID**, **Workspace Key**, **API Key**, **TimeInterval**, **FetchBlockedDomains**, **FetchMaliciousDomains**, **FetchSuspiciousDomains**, **FetchPermittedDomains** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the HYAS Protect Logs data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> NOTE:You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-HYASProtect-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. HyasProtectLogsXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAPIKey\n\t\tPolling\n\t\tWorkspaceID\n\t\tWorkspaceKey\n. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**HYAS API Key** is required for making API calls.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS%20Protect/Data%20Connectors/HYASProtect_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","HYAS Protect","false","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "HalcyonPush","Halcyon","Halcyon Connector","The [Halcyon](https://www.halcyon.ai) connector provides the capability to send data from Halcyon to Microsoft Sentinel.","[{""title"": ""1. Create ARM Resources and Provision Required Permissions"", ""description"": ""This connector reads data from the tables that Halcyon uses in a Microsoft Analytics Workspace, if the data is being forwarded"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \""Deploy\"" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.""}}, {""parameters"": {""label"": ""Deploy Halcyon Connector Resources"", ""applicationDisplayName"": ""Halcyon Sentinel Connector""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Configure your integration in the Halcyon Platform"", ""description"": ""Use the following parameters to configure your integration in the Halcyon Platform."", ""instructions"": [{""parameters"": {""label"": ""Directory ID (Tenant ID)"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Application ID (Client ID)"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy the Push Connector to get the App Registration Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Secret (Credential Secret) (THIS SECRET WILL NOT BE VISIBLE AFTER LEAVING THIS PAGE)"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy the Push Connector to get the App Registration Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint (URL)"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy the Push Connector to get the Data Collection Endpoint""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule ID (Rule ID)"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy the Push Connector to get the Data Collection Rule ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace Permissions"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false}}], ""customs"": [{""name"": ""Microsoft Entra Create Permissions"", ""description"": ""Permissions to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Role Assignment Permissions"", ""description"": ""Write permissions required to assign Monitoring Metrics Publisher role to the data collection rule (DCR). Typically requires Owner or User Access Administrator role at the resource group level.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Halcyon/Data%20Connectors/Halcyon_ccp/Halcyon_connectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Halcyon","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Halcyon/Data%20Connectors/Halcyon_ccp/Halcyon_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Halcyon/Data%20Connectors/Halcyon_ccp/Halcyon_dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#halcyon-connector" "HolmSecurityAssets","Holm Security","Holm Security Asset Data","The connector provides the capability to poll data from Holm Security Center into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to a Holm Security Assets to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Holm Security API**\n\n [Follow these instructions](https://support.holmsecurity.com/knowledge/how-do-i-set-up-an-api-token) to create an API authentication token.""}, {""title"": """", ""description"": ""**STEP 2 - Use the below deployment option to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Holm Security connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Holm Security API authorization Token, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Azure Resource Manager (ARM) Template Deployment"", ""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the Holm Security connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-holmsecurityassets-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password**, 'and/or Other required fields'. \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Holm Security API Token"", ""description"": ""Holm Security API Token is required. [Holm Security API Token](https://support.holmsecurity.com/)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HolmSecurity/Data%20Connectors/HolmSecurityAssets_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","HolmSecurity","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#holm-security-asset-data-using-azure-functions" "IONIXDefinition","IONIX","IONIX Security Logs (via Codeless Connector Framework)","The IONIX connector allows you to ingest action items from your IONIX Attack Surface Management platform into Microsoft Sentinel using the Codeless Connector Framework (CCF). Action items represent security findings and vulnerabilities that require remediation.

**This connector automatically polls the IONIX API and writes data to the CyberpionActionItems_CL table.**","[{""title"": ""Connect IONIX to Microsoft Sentinel"", ""description"": ""This connector uses the IONIX API to automatically poll for action items and ingest them into Microsoft Sentinel. You need an API token from your IONIX Portal.\n>"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""IONIX API Token"", ""placeholder"": ""Enter your JWT API token from IONIX Settings > API"", ""type"": ""password"", ""name"": ""apiToken"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""IONIX Account Name"", ""placeholder"": ""cyberpion"", ""type"": ""text"", ""name"": ""accountName"", ""validations"": {""required"": true}}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""IONIX API Token"", ""description"": ""An API token from IONIX Portal is required. Create one in **Settings > API** in your [IONIX Portal](https://portal.ionix.io/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Data%20Connectors/IONIXActionItems_CCF/IONIX_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","IONIX","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Data%20Connectors/IONIXActionItems_CCF/IONIX_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IONIX/Data%20Connectors/IONIXActionItems_CCF/IONIX_PollerConfig.json","APIKey;Paging","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#ionix-security-logs-via-codeless-connector-framework" @@ -321,17 +325,17 @@ "IPinfoWHOISORGDataConnector","IPinfo","IPinfo WHOIS ORG Data Connector","This IPinfo data connector installs an Azure Function app to download WHOIS_ORG datasets and insert it into custom log table in Microsoft Sentinel","[{""title"": ""1. Retrieve API Token"", ""description"": ""Retrieve your IPinfo API Token [here](https://ipinfo.io/).""}, {""title"": ""2. In your Azure AD tenant, create an Azure Active Directory (AAD) application"", ""description"": ""In your Azure AD tenant, create an Azure Active Directory (AAD) application and acquire Tenant ID, Client ID, and Client Secret: Use this Link.""}, {""title"": ""3. Assign the AAD application the Microsoft Sentinel Contributor Role."", ""description"": ""Assign the AAD application you just created to the Contributor(Privileged administrator roles) and Monitoring Metrics Publisher(Job function roles) in the same \u201cResource Group\u201d you use for \u201cLog Analytic Workspace\u201d on which \u201cMicrosoft Sentinel\u201d is added: Use this Link.""}, {""title"": ""4. Get Workspace Resource ID"", ""description"": ""Use the Log Analytic Workspace -> Properties blade having the 'Resource ID' property value. This is a fully qualified resourceId which is in the format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'""}, {""title"": ""5. Deploy the Azure Function"", ""description"": ""Use this for automated deployment of the IPinfo data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-IPinfo-WHOIS-ORG-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **RESOURCE_ID**, **IPINFO_TOKEN**, **TENANT_ID**, **CLIENT_ID**, **CLIENT_SECRET**.""}, {""title"": ""Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the IPinfo data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the Azure Function App file. Extract the archive to your local development computer [Azure Function App](https://aka.ms/sentinel-Ipinfo-WHOIS-ORG-functionapp). \n2. Create Function App using Hosting Functions Premium or App service plan using advanced option using VSCode. \n3. Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode. \n4. After successful deployment of the function app, follow the next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Settings** -> **Configuration** or **Environment variables**. \n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive):\n\t\tRESOURCE_ID\n\t\tIPINFO_TOKEN\n\t\tTENANT_ID\n\t\tCLIENT_ID\n\t\tCLIENT_SECRET\n\t\tRETENTION_IN_DAYS\n\t\tTOTAL_RETENTION_IN_DAYS\n\t\tSCHEDULE\n\t\tLOCATION \n5. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""IPinfo API Token"", ""description"": ""Retrieve your IPinfo API Token [here](https://ipinfo.io/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IPinfo/Data%20Connectors/WHOIS%20ORG/IPinfo_WHOIS_ORG_API_AzureFunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","IPinfo","false","","true","","","","Log Ingestion API","Azure Function code uses LogsIngestionClient/Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#ipinfo-whois-org-data-connector" "IPinfoWHOISPOCDataConnector","IPinfo","IPinfo WHOIS POC Data Connector","This IPinfo data connector installs an Azure Function app to download WHOIS_POC datasets and insert it into custom log table in Microsoft Sentinel","[{""title"": ""1. Retrieve API Token"", ""description"": ""Retrieve your IPinfo API Token [here](https://ipinfo.io/).""}, {""title"": ""2. In your Azure AD tenant, create an Azure Active Directory (AAD) application"", ""description"": ""In your Azure AD tenant, create an Azure Active Directory (AAD) application and acquire Tenant ID, Client ID, and Client Secret: Use this Link.""}, {""title"": ""3. Assign the AAD application the Microsoft Sentinel Contributor Role."", ""description"": ""Assign the AAD application you just created to the Contributor(Privileged administrator roles) and Monitoring Metrics Publisher(Job function roles) in the same \u201cResource Group\u201d you use for \u201cLog Analytic Workspace\u201d on which \u201cMicrosoft Sentinel\u201d is added: Use this Link.""}, {""title"": ""4. Get Workspace Resource ID"", ""description"": ""Use the Log Analytic Workspace -> Properties blade having the 'Resource ID' property value. This is a fully qualified resourceId which is in the format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'""}, {""title"": ""5. Deploy the Azure Function"", ""description"": ""Use this for automated deployment of the IPinfo data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-IPinfo-WHOIS-POC-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **RESOURCE_ID**, **IPINFO_TOKEN**, **TENANT_ID**, **CLIENT_ID**, **CLIENT_SECRET**.""}, {""title"": ""Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the IPinfo data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the Azure Function App file. Extract the archive to your local development computer [Azure Function App](https://aka.ms/sentinel-Ipinfo-WHOIS-POC-functionapp). \n2. Create Function App using Hosting Functions Premium or App service plan using advanced option using VSCode. \n3. Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode. \n4. After successful deployment of the function app, follow the next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Settings** -> **Configuration** or **Environment variables**. \n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive):\n\t\tRESOURCE_ID\n\t\tIPINFO_TOKEN\n\t\tTENANT_ID\n\t\tCLIENT_ID\n\t\tCLIENT_SECRET\n\t\tRETENTION_IN_DAYS\n\t\tTOTAL_RETENTION_IN_DAYS\n\t\tSCHEDULE\n\t\tLOCATION \n5. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""IPinfo API Token"", ""description"": ""Retrieve your IPinfo API Token [here](https://ipinfo.io/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IPinfo/Data%20Connectors/WHOIS%20POC/IPinfo_WHOIS_POC_API_AzureFunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","IPinfo","false","","true","","","","Log Ingestion API","Azure Function code uses LogsIngestionClient/Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#ipinfo-whois-poc-data-connector" "ISCBind","ISC","[Deprecated] ISC Bind","The [ISC Bind](https://www.isc.org/bind/) connector allows you to easily connect your ISC Bind logs with Microsoft Sentinel. This gives you more insight into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure and connect the ISC Bind"", ""description"": ""1. Follow these instructions to configure the ISC Bind to forward syslog: \n - [DNS Logs](https://kb.isc.org/docs/aa-01526) \n2. Configure Syslog to send the Syslog traffic to Agent. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""ISC Bind"", ""description"": ""must be configured to export logs via Syslog""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Data%20Connectors/Connector_Syslog_ISCBind.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.SyslogMessage !has ""response:"" | Syslog.SyslogMessage has_all ""client""","true","ISC Bind","true","","true","","","","","","","" -"IllumioCore","Illumio","[Deprecated] Illumio Core via Legacy Agent","The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM).""}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure Ilumio Core to send logs using CEF"", ""description"": ""2.1 Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\n2.2 Configure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Core/Data%20Connectors/Connector_IllumioCore_CEF.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceCustomString1Label in~ ""dst_vulns,event_href"" | CommonSecurityLog.DeviceCustomString2Label in~ ""resource_changes,state"" | CommonSecurityLog.DeviceCustomString4Label in~ ""dst_labels,notifications"" | CommonSecurityLog.DeviceCustomString6Label =~ ""dst_href"" | CommonSecurityLog.DeviceVendor =~ ""Illumio""","true","Illumio Core","true","","true","","","","","","","" -"IllumioCoreAma","Illumio","[Deprecated] Illumio Core via AMA","The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM)."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine.""}, {""title"": ""Step B. Configure Ilumio Core to send logs using CEF"", ""description"": ""Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\nConfigure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Core/Data%20Connectors/template_IllumioCoreAMA.json","","AMA","Title/ID indicates AMA","Illumio","","{""CommonSecurityLog"": {""vendor"": [""Illumio""], ""product"": []}}","CommonSecurityLog.DeviceCustomString1Label in~ ""dst_vulns,event_href"" | CommonSecurityLog.DeviceCustomString2Label in~ ""resource_changes,state"" | CommonSecurityLog.DeviceCustomString4Label in~ ""dst_labels,notifications"" | CommonSecurityLog.DeviceCustomString6Label =~ ""dst_href"" | CommonSecurityLog.DeviceVendor =~ ""Illumio""","true","Illumio Core","true","","true","","","","","","","" +"IllumioCore","Illumio","[Deprecated] Illumio Core via Legacy Agent","The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM).""}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure Ilumio Core to send logs using CEF"", ""description"": ""2.1 Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\n2.2 Configure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Core/Data%20Connectors/Connector_IllumioCore_CEF.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceCustomString1Label in~ ""dst_vulns,event_href"" | CommonSecurityLog.DeviceCustomString2Label in~ ""resource_changes,state"" | CommonSecurityLog.DeviceCustomString4Label in~ ""dst_labels,notifications"" | CommonSecurityLog.DeviceCustomString6Label =~ ""dst_href"" | CommonSecurityLog.DeviceVendor =~ ""Illumio""","true","Illumio Core","true","","false","","","","","","","" +"IllumioCoreAma","Illumio","[Deprecated] Illumio Core via AMA","The [Illumio Core](https://www.illumio.com/products/) data connector provides the capability to ingest Illumio Core logs into Microsoft Sentinel.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias IllumioCoreEvent and load the function code or click [here](https://aka.ms/sentinel-IllumioCore-parser).The function usually takes 10-15 minutes to activate after solution installation/update and maps Illumio Core events to Microsoft Sentinel Information Model (ASIM)."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine.""}, {""title"": ""Step B. Configure Ilumio Core to send logs using CEF"", ""description"": ""Configure Event Format\n\n 1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.\n\n 2. Click **Edit** to change the settings.\n\n 3. Set **Event Format** to CEF.\n\n 4. (Optional) Configure **Event Severity** and **Retention Period**.\n\nConfigure event forwarding to an external syslog server\n\n 1. From the PCE web console menu, choose **Settings > Event Settings**.\n\n 2. Click **Add**.\n\n 3. Click **Add Repository**.\n\n 4. Complete the **Add Repository** dialog.\n\n 5. Click **OK** to save the event forwarding configuration.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Core/Data%20Connectors/template_IllumioCoreAMA.json","","AMA","Title/ID indicates AMA","Illumio","","{""CommonSecurityLog"": {""vendor"": [""Illumio""], ""product"": []}}","CommonSecurityLog.DeviceCustomString1Label in~ ""dst_vulns,event_href"" | CommonSecurityLog.DeviceCustomString2Label in~ ""resource_changes,state"" | CommonSecurityLog.DeviceCustomString4Label in~ ""dst_labels,notifications"" | CommonSecurityLog.DeviceCustomString6Label =~ ""dst_href"" | CommonSecurityLog.DeviceVendor =~ ""Illumio""","true","Illumio Core","true","","false","","","","","","","" "IllumioInsightsDefinition","Microsoft","Illumio Insights","Illumio Insights Connector sends workload and security graph data from Illumio Insights into the Azure Microsoft Sentinel Data Lake, providing deep context for threat detection, lateral movement analysis, and real-time investigation.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the Illumio Insights Connector\n\n**Prerequisites**\n- Register and Login to Illumio Console with valid credentials\n- Purchase Illumio Insights or Start a free Trial for Illumio Insights\n\n**Step 1: Register the Service Account**\n1. Go to **Illumio Console \u2192 Access \u2192 Service Accounts**\n2. Create a service account for the tenant\n3. Once you create a service account, you will receive the client credentials\n4. Copy the **auth_username** (Illumio Insights API Key) and the **Secret** (API Secret)\n\n**Step 2: Add Client Credentials to Sentinel Account**\n- Add the API key and secret to Sentinel Account for tenant authentication\n- These credentials will be used to authenticate calls to the Illumio SaaS API\n\nPlease fill in the required fields below with the credentials obtained from the Illumio Console:""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Illumio Insights Api Key"", ""placeholder"": ""api_XXXXXX"", ""type"": ""password"", ""name"": ""apiKey""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Api Secret"", ""placeholder"": ""API Secret"", ""type"": ""password"", ""name"": ""apiToken""}}, {""parameters"": {""label"": ""Illumio Tenant Id"", ""placeholder"": ""{IllumioTenantId - Optional}"", ""type"": ""text"", ""name"": ""illumioTenantId""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsight_CCP/IllumioInsight_Definition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Illumio Insight","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsight_CCP/IllumioInsight_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsight_CCP/IllumioInsight_PollingConfig.json","APIKey","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#illumio-insights" "IllumioInsightsSummaryCCP","Illumio","Illumio Insights Summary","The Illumio Insights Summary connector Publishes AI-powered threat discovery and anomaly reports generated by the Illumio Insights Agent. Leveraging the MITRE ATT&CK framework, these reports surface high-fidelity insights into emerging threats and risky behaviors, directly into the Data Lake.","[{""title"": ""1. Configuration"", ""description"": ""Configure the Illumio Insights Summary connector."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""> This data connector may take 24 hrs for the latest report after onboarding""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the Illumio Insights Summary Connector\n\n**Prerequisites**\n- Register and Login to Illumio Console with valid credentials\n- Purchase Illumio Insights or Start a free Trial for Illumio Insights\n- Enable The Illumio Insights Agent\n\n**Step 1: Register the Service Account**\n1. Go to **Illumio Console \u2192 Access \u2192 Service Accounts**\n2. Create a service account for the tenant\n3. Once you create a service account, you will receive the client credentials\n4. Copy the **auth_username** (Illumio Insights API Key) and the **Secret** (API Secret)\n\n**Step 2: Add Client Credentials to Sentinel Account**\n- Add the API key and secret to Sentinel Account for tenant authentication\n- These credentials will be used to authenticate calls to the Illumio SaaS API \n\nPlease fill in the required fields below with the credentials obtained from the Illumio Console:""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Illumio Insights Api Key"", ""placeholder"": ""api_XXXXXX"", ""type"": ""password"", ""name"": ""apiKey""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Api Secret"", ""placeholder"": ""API Secret"", ""type"": ""password"", ""name"": ""apiToken""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Illumio Tenant ID"", ""placeholder"": ""{IllumioTenantId - Optional}"", ""type"": ""text"", ""name"": ""illumioTenantId""}}]}, {""title"": ""2. Connect"", ""description"": ""Enable the Illumio Insights Summary connector."", ""instructions"": [{""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsightsSummaryConnector_CCP/IllumioInsightsSummary_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Illumio Insight","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsightsSummaryConnector_CCP/IllumioInsightsSummary_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsightsSummaryConnector_CCP/IllumioInsightsSummary_PollingConfig.json","APIKey","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#illumio-insights-summary" "IllumioSaaSDataConnector","Illumio","Illumio SaaS","[Illumio](https://www.illumio.com/) connector provides the capability to ingest events into Microsoft Sentinel. The connector provides ability to ingest auditable and flow events from AWS S3 bucket.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": ""Prerequisites"", ""description"": ""1. Ensure AWS SQS is configured for the s3 bucket from which flow and auditable event logs are going to be pulled. In case, Illumio provides bucket, please contact Illumio support for sqs url, s3 bucket name and aws credentials. \n 2. Register AAD application - For DCR (Data collection rule) to authentiate to ingest data into log analytics, you must use Entra application. 1. [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n 2. Ensure you have created a log analytics workspace. \nPlease keep note of the name and region where it has been deployed.""}, {""title"": ""Deployment"", ""description"": ""Choose one of the approaches from below options. Either use the below ARM template to deploy azure resources or deploy function app manually.""}, {""title"": ""1. Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of Azure resources using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-IllumioSaaS-FunctionApp) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.""}, {""title"": ""2. Deploy additional function apps to handle scale"", ""description"": ""Use this method for automated deployment of additional function apps using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-IllumioSaaS-QueueTriggerFunctionApp) \t\t\t\n""}, {""title"": ""3. Manual Deployment of Azure Functions"", ""description"": ""Deployment via Visual Studio Code.""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n1. Download the [Azure Function App](https://github.com/Azure/Azure-Sentinel/raw/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioEventsConn.zip) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. Follow documentation to set up all required environment variables and click **Save**. Ensure you restart the function app once settings are saved.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""SQS and AWS S3 account credentials/permissions"", ""description"": ""**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](). If you are using s3 bucket provided by Illumio, contact Illumio support. At your request they will provide you with the AWS S3 bucket name, AWS SQS url and AWS credentials to access them.""}, {""name"": ""Illumio API key and secret"", ""description"": ""**ILLUMIO_API_KEY**, **ILLUMIO_API_SECRET** is required for a workbook to make connection to SaaS PCE and fetch api responses.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioSaaS_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","IllumioSaaS","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#illumio-saas-using-azure-functions" "IllumioSaasCCFDefinition","Microsoft","Illumio Saas","The Illumio Saas Cloud data connector provides the capability to ingest Flow logs into Microsoft Sentinel using the Illumio Saas Log Integration through AWS S3 Bucket. Refer to [Illumio Saas Log Integration](https://product-docs-repo.illumio.com/Tech-Docs/CloudSecure/out/en/administer-cloudsecure/connector.html#UUID-c14edaab-9726-1f23-9c4c-bc2937be39ee_section-idm234556433515698) for more information.","[{""title"": ""Connect Illumio Saas to Microsoft Sentinel\n\n"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": "">**NOTE:** This connector fetches the Illumio Saas Flow logs from AWS S3 bucket""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Illumio, you need to configure the following resources""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. AWS Role ARN \n To gather data from Illumio, you'll need AWS Role ARN.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. AWS SQS Queue URL \n To gather data from Illumio, you'll need AWS SQS Queue URL.\n\n""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""For detailed steps to retrieve the AWS Role ARN, SQS Queue URL, and configure Illumio log forwarding to the Amazon S3 bucket, refer to the [Connector Setup Guide](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioSaasLogs_ccf/Readme.md).""}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnValue"": ""properties.roleArn"", ""columnName"": ""AWS Role ARN""}, {""columnValue"": ""properties.sqsUrls[0]"", ""columnName"": ""AWS SQS Queue URL""}, {""columnValue"": ""properties.destinationTable"", ""columnName"": ""Table Name""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add Account"", ""title"": ""Add Account"", ""subtitle"": ""Add Account"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Role ARN"", ""placeholder"": ""Enter Role ARN"", ""type"": ""text"", ""name"": ""roleArn"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Flow Log Queue URL"", ""placeholder"": ""Enter Flow log SQL Queue URL"", ""type"": ""text"", ""name"": ""queueUrl"", ""required"": true}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioSaasLogs_ccf/IllumioSaasLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","true","IllumioSaaS","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioSaasLogs_ccf/IllumioSaasLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioSaasLogs_ccf/IllumioSaasLogs_PollerConfig.json","AmazonWebServicesS3","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#illumio-saas-using-azure-functions" -"ImpervaCloudWAFLogsCCFDefinition","Microsoft","Imperva Cloud WAF (via Codeless Connector Framework)","The Imperva WAF Cloud data connector provides the capability to ingest logs into Microsoft Sentinel using the Imperva Log Integration via AWS S3 with SQS notifications. The connector parses CEF-formatted WAF events including access logs and security alerts for threat detection and investigation.Refer to [Imperva WAF Cloud Log Integration](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm) for more information.","[{""title"": ""Connect Imperva WAF Cloud to Microsoft Sentinel\n\n"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": "">**NOTE:** This connector fetches the Imperva Cloud WAF logs from AWS S3 bucket""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Imperva, you need to configure the following resources""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. AWS Role ARN \n To gather data from Imperva, you'll need AWS Role ARN.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. AWS SQS Queue URL \n To gather data from Imperva, you'll need AWS SQS Queue URL.\n\n""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""For detailed steps to retrieve the AWS Role ARN, SQS Queue URL, and configure Imperva log forwarding to the Amazon S3 bucket, refer to the [Connector Setup Guide](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/Readme.md).""}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnValue"": ""properties.roleArn"", ""columnName"": ""AWS Role ARN""}, {""columnValue"": ""properties.sqsUrls[0]"", ""columnName"": ""AWS SQS Queue URL""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add Account"", ""title"": ""Add Account"", ""subtitle"": ""Add Account"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Role ARN"", ""placeholder"": ""Enter Role ARN"", ""type"": ""text"", ""name"": ""roleArn"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Queue URL"", ""placeholder"": ""Enter SQL Queue URL"", ""type"": ""text"", ""name"": ""queueUrl"", ""required"": true}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","SentinelImpervaWAFCloudV2Logs.AttackSeverity != ""0""","false","ImpervaCloudWAF","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_PollingConfig.json","AmazonWebServicesS3","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#imperva-cloud-waf-via-codeless-connector-framework" +"ImpervaCloudWAFLogsCCFDefinition","Microsoft","Imperva Cloud WAF (via Codeless Connector Framework)","The Imperva WAF Cloud data connector provides the capability to ingest logs into Microsoft Sentinel using the Imperva Log Integration via AWS S3 with SQS notifications. The connector parses CEF-formatted WAF events including access logs and security alerts for threat detection and investigation.Refer to [Imperva WAF Cloud Log Integration](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm) for more information.","[{""title"": ""Connect Imperva WAF Cloud to Microsoft Sentinel\n\n"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": "">**NOTE:** This connector fetches the Imperva Cloud WAF logs from AWS S3 bucket""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Imperva, you need to configure the following resources""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. AWS Role ARN \n To gather data from Imperva, you'll need AWS Role ARN.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. AWS SQS Queue URL \n To gather data from Imperva, you'll need AWS SQS Queue URL.\n\n""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""For detailed steps to retrieve the AWS Role ARN, SQS Queue URL, and configure Imperva log forwarding to the Amazon S3 bucket, refer to the [Connector Setup Guide](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/Readme.md).""}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnValue"": ""properties.roleArn"", ""columnName"": ""AWS Role ARN""}, {""columnValue"": ""properties.sqsUrls[0]"", ""columnName"": ""AWS SQS Queue URL""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add Account"", ""title"": ""Add Account"", ""subtitle"": ""Add Account"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Role ARN"", ""placeholder"": ""Enter Role ARN"", ""type"": ""text"", ""name"": ""roleArn"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Queue URL"", ""placeholder"": ""Enter SQS Queue URL"", ""type"": ""text"", ""name"": ""queueUrl"", ""required"": true}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""AWS IAM Role"", ""description"": ""An AWS IAM Role with cross-account trust policy is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","SentinelImpervaWAFCloudV2Logs.AttackSeverity != ""0""","false","ImpervaCloudWAF","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaCloudWAFLogs_ccf/ImpervaCloudWAFLogs_PollingConfig.json","AmazonWebServicesS3","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#imperva-cloud-waf-via-codeless-connector-framework" "ImpervaWAFCloudAPI","Imperva","Imperva Cloud WAF","The [Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) data connector provides the capability to integrate and ingest Web Application Firewall events into Microsoft Sentinel through the REST API. Refer to Log integration [documentation](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm#Download) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Imperva Cloud API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App.""}, {""description"": "">**NOTE:**This data connector depends on a parser based on a Kusto Function to work as expected [**ImpervaWAFCloud**](https://aka.ms/sentinel-impervawafcloud-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Log Integration**\n\n [Follow the instructions](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm#Setuplogintegration) to obtain the credentials. \n""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Functions**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Imperva Cloud WAF data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-impervawafcloud-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **ImpervaAPIID**, **ImpervaAPIKey**, **ImpervaLogServerURI** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Imperva Cloud WAF data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-impervawafcloud-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ImpervaCloudXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tImpervaAPIID\n\t\tImpervaAPIKey\n\t\tImpervaLogServerURI\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**ImpervaAPIID**, **ImpervaAPIKey**, **ImpervaLogServerURI** are required for the API. [See the documentation to learn more about Setup Log Integration process](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm#Setuplogintegration). Check all [requirements and follow the instructions](https://docs.imperva.com/bundle/cloud-application-security/page/settings/log-integration.htm#Setuplogintegration) for obtaining credentials. Please note that this connector uses CEF log event format. [More information](https://docs.imperva.com/bundle/cloud-application-security/page/more/log-file-structure.htm#Logfilestructure) about log format.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ImpervaCloudWAF/Data%20Connectors/ImpervaWAFCloud_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","ImpervaCloudWAF","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#imperva-cloud-waf-using-azure-functions" "ImpervaWAFGateway","Imperva","Imperva WAF Gateway","The [Imperva](https://www.imperva.com) connector will allow you to quickly connect your Imperva WAF Gateway alerts to Azure Sentinel. This provides you additional insight into your organization's WAF traffic and improves your security operation capabilities.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.""}, {""title"": ""3. SecureSphere MX Configuration"", ""description"": ""This connector requires an Action Interface and Action Set to be created on the Imperva SecureSphere MX. [Follow the steps](https://community.imperva.com/blogs/craig-burlingame1/2020/11/13/steps-for-enabling-imperva-waf-gateway-alert) to create the requirements."", ""innerSteps"": [{""title"": ""3.1 Create the Action Interface"", ""description"": ""Create a new Action Interface that contains the required parameters to send WAF alerts to Azure Sentinel.""}, {""title"": ""3.2 Create the Action Set "", ""description"": ""Create a new Action Set that uses the Action Interface configured.""}, {""title"": ""3.3 Apply the Action Set"", ""description"": ""Apply the Action Set to any Security Policies you wish to have alerts for sent to Azure Sentinel.""}]}, {""title"": ""4. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n"", ""innerSteps"": [{""title"": ""4.1 Check for logs in the past 5 minutes using the following command.\n\nCommonSecurityLog | where DeviceVendor == \""Imperva Inc.\"" | where DeviceProduct == \""WAF Gateway\"" | where TimeGenerated == ago(5m)""}]}, {""title"": ""5. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Imperva%20WAF%20Gateway/Data%20Connectors/Connector_Imperva_WAF_Gateway.json","","AMA","Uses CEF installer script","Imperva;Imperva Inc.","WAF Gateway","{""CommonSecurityLog"": {""vendor"": [""Imperva"", ""Imperva Inc.""], ""product"": [""WAF Gateway""]}}","CommonSecurityLog.Activity == ""sql-injection"" | CommonSecurityLog.DeviceAction == ""block"" | CommonSecurityLog.DeviceProduct == ""WAF Gateway"" | CommonSecurityLog.DeviceVendor in ""Imperva,Imperva Inc."" | CommonSecurityLog.LogSeverity == ""High""","false","Imperva WAF Gateway","false","","false","","","","","","","" "InfoSecDataConnector","InfoSecGlobal","InfoSecGlobal Data Connector","Use this data connector to integrate with InfoSec Crypto Analytics and get data sent directly to Microsoft Sentinel.","[{""title"": ""InfoSecGlobal Crypto Analytics Data Connector"", ""description"": ""1. Data is sent to Microsoft Sentinel through Logstash\n 2. Required Logstash configuration is included with Crypto Analytics installation\n 3. Documentation provided with the Crypto Analytics installation explains how to enable sending data to Microsoft Sentinel\n"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AgileSec%20Analytics%20Connector/Data%20Connectors/Connector_Analytics_InfoSec.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","AgileSec Analytics Connector","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#infosecglobal-data-connector" -"InfobloxCloudDataConnector","Infoblox","[Deprecated] Infoblox Cloud Data Connector via Legacy Agent","The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""title"": """", ""description"": "">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"", ""description"": ""Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Data%20Connectors/InfobloxCloudDataConnector.json","","AMA","Title mentions Legacy Agent","Infoblox","Data Connector","{""CommonSecurityLog"": {""vendor"": [""Infoblox""], ""product"": [""Data Connector""]}}","CommonSecurityLog.AdditionalExtensions has_cs ""InfobloxRPZ=APP_"" | CommonSecurityLog.AdditionalExtensions has_cs ""InfobloxRPZ=CAT_"" | CommonSecurityLog.DeviceEventClassID == ""DHCP-LEASE-CREATE"" | CommonSecurityLog.DeviceEventClassID has_cs ""DNS"" | CommonSecurityLog.DeviceEventClassID has_cs ""RPZ"" | CommonSecurityLog.DeviceProduct == ""Data Connector"" | CommonSecurityLog.DeviceVendor == ""Infoblox"" | _Computed.ThreatLevel_Score == ""0""","true","Infoblox Cloud Data Connector","true","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#infoblox-cloud-data-connector-via-ama" +"InfobloxCloudDataConnector","Infoblox","[Deprecated] Infoblox Cloud Data Connector via Legacy Agent","The Infoblox Cloud Data Connector allows you to easily connect your Infoblox BloxOne data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""title"": """", ""description"": "">**IMPORTANT:** This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure Infoblox BloxOne to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"", ""description"": ""Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector/Data%20Connectors/InfobloxCloudDataConnector.json","","AMA","Title mentions Legacy Agent","Infoblox","Data Connector","{""CommonSecurityLog"": {""vendor"": [""Infoblox""], ""product"": [""Data Connector""]}}","CommonSecurityLog.AdditionalExtensions has_cs ""InfobloxRPZ=APP_"" | CommonSecurityLog.AdditionalExtensions has_cs ""InfobloxRPZ=CAT_"" | CommonSecurityLog.DeviceEventClassID == ""DHCP-LEASE-CREATE"" | CommonSecurityLog.DeviceEventClassID has_cs ""DNS"" | CommonSecurityLog.DeviceEventClassID has_cs ""RPZ"" | CommonSecurityLog.DeviceProduct == ""Data Connector"" | CommonSecurityLog.DeviceVendor == ""Infoblox"" | _Computed.ThreatLevel_Score == ""0""","true","Infoblox Cloud Data Connector","true","","false","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#infoblox-cloud-data-connector-via-ama" "InfobloxCloudDataConnectorAma","Infoblox","[Recommended] Infoblox Cloud Data Connector via AMA","The Infoblox Cloud Data Connector allows you to easily connect your Infoblox data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""description"": "">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of Threat Defense, access to an appropriate Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure Infoblox to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent"", ""description"": ""Follow the steps below to configure the Infoblox CDC to send data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Data%20Connectors/InfobloxCEFDataConnector/template_InfobloxCloudDataConnectorAma.JSON","","AMA","Title/ID indicates AMA","Infoblox","Data Connector","{""CommonSecurityLog"": {""vendor"": [""Infoblox""], ""product"": [""Data Connector""]}}","CommonSecurityLog.AdditionalExtensions has_cs ""InfobloxRPZ=APP_"" | CommonSecurityLog.AdditionalExtensions has_cs ""InfobloxRPZ=CAT_"" | CommonSecurityLog.DeviceEventClassID == ""DHCP-LEASE-CREATE"" | CommonSecurityLog.DeviceEventClassID has_cs ""Audit"" | CommonSecurityLog.DeviceEventClassID has_cs ""DHCP"" | CommonSecurityLog.DeviceEventClassID has_cs ""DNS"" | CommonSecurityLog.DeviceEventClassID has_cs ""RPZ"" | CommonSecurityLog.DeviceEventClassID has_cs ""Service"" | CommonSecurityLog.DeviceProduct =~ ""Data Connector"" | CommonSecurityLog.DeviceVendor =~ ""Infoblox"" | _Computed.ThreatLevel_Score == ""0""","false","Infoblox","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#infoblox-cloud-data-connector-via-ama" "InfobloxDataConnector","Infoblox","Infoblox Data Connector via REST API","The Infoblox Data Connector allows you to easily connect your Infoblox TIDE data and Dossier data with Microsoft Sentinel. By connecting your data to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Infoblox API to create Threat Indicators for TIDE and pull Dossier data into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)""}, {""title"": """", ""description"": ""**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)""}, {""title"": """", ""description"": ""**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)""}, {""title"": """", ""description"": ""**STEP 4 - Steps to generate the Infoblox API Credentials**\n\n Follow these instructions to generate Infoblox API Key.\n In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F).""}, {""title"": """", ""description"": ""**STEP 5 - Steps to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Infoblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Infoblox API Authorization Credentials"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Infoblox Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-infoblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tAzure Tenant Id \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tInfoblox API Token \n\t\tInfoblox Base URL \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tConfidence \n\t\tThreat Level \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Azure Subscription"", ""description"": ""Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.""}, {""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Infoblox API Key** is required. See the documentation to learn more about API on the [Rest API reference](https://csp.infoblox.com/apidoc?url=https://csp.infoblox.com/apidoc/docs/Infrastructure#/Services/ServicesRead)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Data%20Connectors/InfobloxCloudDataConnector/Infoblox_API_FunctionApp.json","","Azure Function (TI Upload API)","Connector code uses Sentinel TI Upload Indicators API (sentinelus.azure-api.net)","","","","","false","Infoblox","false","","true","","","","STIX 2.0 Upload Indicators API","Connector code references STIX 2.0 Upload Indicators API endpoint (matched 'sentinelus.azure-api.net')","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#infoblox-data-connector-via-rest-api" "InfobloxNIOS","Infoblox","[Deprecated] Infoblox NIOS","The [Infoblox Network Identity Operating System (NIOS)](https://www.infoblox.com/glossary/network-identity-operating-system-nios/) connector allows you to easily connect your Infoblox NIOS logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Infoblox and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Parser/Infoblox.yaml), on the second line of the query, enter any unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure and connect the Infoblox NIOS"", ""description"": ""[Follow these instructions](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-slog-and-snmp-configuration-for-nios.pdf) to enable syslog forwarding of Infoblox NIOS Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}, {""title"": ""4. Configure the Sentinel parser"", ""description"": ""Update the watchlist 'Sources_by_Source' with the hostname(s) of your Infoblox device(s). Set SourceType to 'InfobloxNIOS' and Source to the value of 'Computer' seen in the logs seen in Syslog table.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""Infoblox NIOS"", ""description"": ""must be configured to export logs via Syslog""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Data%20Connectors/Connector_Syslog_Infoblox.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.SyslogMessage !has ""response:"" | Syslog.SyslogMessage has_all ""client""","true","Infoblox NIOS","true","","true","","","","","","","" @@ -356,16 +360,18 @@ "KnowBe4DefendPolling","KnowBe4","KnowBe4 Defend","The KnowBe4 Defend audit connector provides the capability to ingest KnowBe4 Defend Data into Microsoft Sentinel.","[{""title"": ""Connect KnowBe4 Defend with Microsoft Sentinel"", ""description"": ""Enter your KnowBe4 Defend API URl, KnowBe4 Domain and API token."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""API URL"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{apiUrl}}""}, {""displayText"": ""Domain name"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{domain}}""}]}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions on the Log Analytics workspace are required to enable the data connector."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true, ""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""KnowBe4 API Token"", ""description"": ""A KnowBe4 API token is required to ingest audit records to Microsoft Sentinel.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/KnowBe4%20Defend/Data%20Connectors/DefendAPIConnector.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","","false","KnowBe4 Defend","false","","false","","","APIKey;Paging","","","true","" "LastPass_Polling","The Collective Consulting BV","LastPass Enterprise - Reporting (Polling CCP)","The [LastPass Enterprise](https://www.lastpass.com/products/enterprise-password-management-and-sso) connector provides the capability to LastPass reporting (audit) logs into Microsoft Sentinel. The connector provides visibility into logins and activity within LastPass (such as reading and removing passwords).","[{""title"": ""Connect LastPass Enterprise to Microsoft Sentinel"", ""description"": ""Provide the LastPass Provisioning API Key."", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""cid"", ""requestObjectKey"": ""queryParametersTemplate"", ""placeHolderName"": ""{{cidPlaceHolder}}""}]}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true, ""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""LastPass API Key and CID"", ""description"": ""A LastPass API key and CID are required. [See the documentation to learn more about LastPass API](https://support.logmeininc.com/lastpass/help/use-the-lastpass-provisioning-api-lp010068).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/LastPass/Data%20Connectors/LastPassAPIConnector.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","","false","Lastpass Enterprise Activity Monitoring","false","","true","","","APIKey;Paging;POST","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#lastpass-enterprise---reporting-polling-ccp" "LookoutAPI","Lookout","[DEPRECATED] Lookout","The [Lookout](https://lookout.com) data connector provides the capability to ingest [Lookout](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide#commoneventfields) events into Microsoft Sentinel through the Mobile Risk API. Refer to [API documentation](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide) for more information. The [Lookout](https://lookout.com) data connector provides ability to get events which helps to examine potential security risks and more.

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": "">**NOTE:** This [Lookout](https://lookout.com) data connector uses Azure Functions to connect to the Mobile Risk API to pull its events into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**LookoutEvents**](https://aka.ms/sentinel-lookoutapi-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Mobile Risk API**\n\n [Follow the instructions](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide#authenticatingwiththemobileriskapi) to obtain the credentials. \n""}, {""title"": """", ""description"": ""**STEP 2 - Follow below mentioned instructions to deploy the [Lookout](https://lookout.com) data connector and the associated Azure Function**\n\n>**IMPORTANT:** Before starting the deployment of the [Lookout](https://lookout.com) data connector, make sure to have the Workspace ID and Workspace Key ready (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Workspace Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Azure Resource Manager (ARM) Template"", ""description"": ""Follow below steps for automated deployment of the [Lookout](https://lookout.com) data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-lookoutapi-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Function Name**, **Workspace ID**,**Workspace Key**,**Enterprise Name** & **Api Key** and deploy. \n4. Click **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Mobile Risk API Credentials/permissions"", ""description"": ""**EnterpriseName** & **ApiKey** are required for Mobile Risk API. [See the documentation to learn more about API](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide). Check all [requirements and follow the instructions](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide#authenticatingwiththemobileriskapi) for obtaining credentials.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Data%20Connectors/Lookout_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Lookout","true","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#deprecated-lookout" -"LookoutCloudSecurityDataConnector","Lookout","Lookout Cloud Security for Microsoft Sentinel","This connector uses a Agari REST API connection to push data into Microsoft Sentinel Log Analytics.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Agari REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**Step-by-Step Instructions**\n\n As a prerequisite to this integration, first, you need to configure an API client on Lookout's Management Console. From the Management Console, you can add one or more clients and configure the appropriate permissions and actions for each. \n\n 1. Name - The name given to this client. \n\n 2. Client ID - the unique ID that was provided for this client. \n\n 3. Permissions - The permissions enabled for this client. The permissions you check are those that the client will be allowed to access. The listed options are Activity, Violation, Anomaly, Insights, and Profile \n\n 4. Service URL - The URL used to access this client.It must start with https:// \n\n 5. Authorized IPs - The valid IP address or addresses that apply to this client. \n\n 6. Actions - The actions you can take for this client. Click the icon for the action you want to perform. Editing client information, displaying the client secret, or deleting the client. \n\n **To add a new API client:** \n\n 1. Go to Administration > Enterprise Integration > API Clients and click New. \n\n 2. Enter a Name (required) and a Description (optional). \n\n 3. Enter the Client ID that was provided to you. \n\n 4. Select one or more Permissions from the dropdown list. \n\n 5. Enter one or more Authorized IP addresses for this client. Separate each address with a comma.\n\n 6. Click Save. \n\n When prompted, copy the string for the client's secret. You will need this information (along with the client ID) to authenticate to the API gateway. ""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-LookoutCS-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Lookout Client ID**, **Lookout Client Secret**, **Lookout Base url**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-Lookout-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tLookoutClientId\n\t\tLookoutApiSecret\n\t\tBaseurl\n\t\tWorkspaceID\n\t\tPrimaryKey\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel/Data%20Connectors/LookoutCSConnector/LookoutCloudSecurityConnector_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" +"LookoutCloudSecurityDataConnector","Lookout","Lookout Cloud Security for Microsoft Sentinel","This connector uses a Agari REST API connection to push data into Microsoft Sentinel Log Analytics.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Agari REST API to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**Step-by-Step Instructions**\n\n As a prerequisite to this integration, first, you need to configure an API client on Lookout's Management Console. From the Management Console, you can add one or more clients and configure the appropriate permissions and actions for each. \n\n 1. Name - The name given to this client. \n\n 2. Client ID - the unique ID that was provided for this client. \n\n 3. Permissions - The permissions enabled for this client. The permissions you check are those that the client will be allowed to access. The listed options are Activity, Violation, Anomaly, Insights, and Profile \n\n 4. Service URL - The URL used to access this client.It must start with https:// \n\n 5. Authorized IPs - The valid IP address or addresses that apply to this client. \n\n 6. Actions - The actions you can take for this client. Click the icon for the action you want to perform. Editing client information, displaying the client secret, or deleting the client. \n\n **To add a new API client:** \n\n 1. Go to Administration > Enterprise Integration > API Clients and click New. \n\n 2. Enter a Name (required) and a Description (optional). \n\n 3. Enter the Client ID that was provided to you. \n\n 4. Select one or more Permissions from the dropdown list. \n\n 5. Enter one or more Authorized IP addresses for this client. Separate each address with a comma.\n\n 6. Click Save. \n\n When prompted, copy the string for the client's secret. You will need this information (along with the client ID) to authenticate to the API gateway. ""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Azure Blob Storage connection string and container name, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-LookoutCS-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Lookout Client ID**, **Lookout Client Secret**, **Lookout Base url**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-Lookout-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions.\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tLookoutClientId\n\t\tLookoutApiSecret\n\t\tBaseurl\n\t\tWorkspaceID\n\t\tPrimaryKey\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel/Data%20Connectors/LookoutCSConnector/LookoutCloudSecurityConnector_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","false","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "LookoutStreaming_Definition","Microsoft","Lookout Mobile Threat Detection Connector (via Codeless Connector Framework) (Preview)","The [Lookout Mobile Threat Detection](https://lookout.com) data connector provides the capability to ingest events related to mobile security risks into Microsoft Sentinel through the Mobile Risk API. Refer to [API documentation](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide) for more information. This connector helps you examine potential security risks detected in mobile devices.","[{""title"": ""Connect Lookout Mobile Threat Defence connector to Microsoft Sentinel"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""Before connecting to Lookout, ensure the following prerequisites are completed.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. **ApiKey** is required for Mobile Threat Detection API. See the [documentation](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide) to learn more about API. Check all requirements and follow the [instructions](https://esupport.lookout.com/s/article/Mobile-Risk-API-V2-Guide#authenticatingwiththemobileriskapi) for obtaining credentials.""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API key"", ""placeholder"": ""Enter your API key "", ""type"": ""password"", ""name"": ""applicationKey"", ""required"": true}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Data%20Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Lookout","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Data%20Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Data%20Connectors/LookoutStreamingConnector_ccp/LookoutStreaming_PollingConfig.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#lookout-mobile-threat-detection-connector-via-codeless-connector-framework-preview" "LumenThreatFeedConnectorV2","Lumen Technologies, Inc.","Lumen Defender Threat Feed Data Connector V2","The [Lumen Defender Threat Feed](https://www.lumen.com/en-us/security/black-lotus-labs.html) connector provides the capability to ingest STIX-formatted threat intelligence indicators from Lumen's Black Lotus Labs research team into Microsoft Sentinel. The connector automatically downloads and uploads threat intelligence indicators including IPv4 addresses and domains to the ThreatIntelIndicators table via the STIX Objects Upload API.

**NOTE:** This data connector uses the [Azure Functions Flex Consumption Plan](https://learn.microsoft.com/azure/azure-functions/flex-consumption-plan). More pricing details are [here](https://azure.microsoft.com/pricing/details/functions/#pricing).","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions with the Flex Consumption Plan to connect to the Lumen Defender Threat Feed API and upload threat intelligence indicators to Microsoft Sentinel via the STIX Objects API. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store API keys and secrets in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App.""}, {""title"": ""Configuration"", ""description"": ""**STEP 1 - Obtain Lumen Defender Threat Feed API Key**\n\n1. [Contact Lumen](mailto:DefenderThreatFeedSales@Lumen.com?subject=API%20Access%20Request) to obtain API access to our Threat Feed API service\n2. Obtain your API key for authentication.""}, {""title"": """", ""description"": ""**STEP 2 - Configure Azure Entra ID Application and gather information**\n\n1. Create a new Entra app registration from the **App registrations** tab in the Entra ID section of the Azure portal. [See the documentation for a guide to registering an application in Microsoft Entra ID.](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)\n2. Create a client secret and note the **Application ID**, **Tenant ID**, and **Client Secret**\n3. Assign the **Microsoft Sentinel Contributor** role to the newly registered application in the **Access control (IAM)** menu of your Microsoft Sentinel Log Analytics Workspace\n4. Make note of your **Workspace ID**, which can be obtained from the **overview** page of the Log Analytics Workspace for your Microsoft Sentinel instance."", ""instructions"": [{""parameters"": {""fillWith"": [""TenantId""], ""label"": ""Tenant ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**STEP 3 - Enable the **Threat Intelligence Upload Indicators API (Preview)** data connector in Microsoft Sentinel**\n\n1. Deploy the **Threat Intelligence (New) Solution**, which includes the **Threat Intelligence Upload Indicators API (Preview)**\n2. Browse to the Content Hub, find and select the **Threat Intelligence (NEW)** solution.\n3. Select the **Install/Update** button.""}, {""title"": """", ""description"": ""**STEP 4 - Deploy the Azure Function**\n\n>**IMPORTANT:** Before deploying the Lumen Defender Threat Feed connector, have the following information readily available:\n> - Tenant ID and Workspace ID\n> - Azure Entra application details (Client ID, Client Secret)\n> - Lumen API key\n>1. Click the Deploy to Azure button.\n\n[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FLumen%2520Defender%2520Threat%2520Feed%2FData%2520Connectors%2FLumenThreatFeedv2%2Fazuredeploy_Connector_LumenThreatFeed_AzureFunction_v2.json)\n\n2. Fill in the appropriate values for each parameter:\n\n**Basic Settings:**\n- **Subscription**: Confirm the correct subscription is selected or use the dropdown to change your selection\n- **Resource Group**: Select the resource group to be used by the Function App and related resources\n- **Function Name**: Enter a globally unique name for the Function App (11-character limit recommended)\n- **App Insights Workspace Resource ID**: The Resource ID of the Log Analytics Workspace for Application Insights (click **JSON View** on the Log Analytics workspace to copy)\n\n**Lumen API Settings:**\n- **Lumen API Key**: Obtain an API key through Lumen support\n- **Lumen Base URL**: Filled in automatically and should generally not be changed\n- **Confidence Threshold** (Optional): Minimum confidence score (60-100) for indicators (default: 60)\n- **Enable IPv4** (Optional): Enable IPv4 address indicators (default: true)\n- **Enable Domain** (Optional): Enable domain name indicators (default: true)\n\n**Azure Entra ID Settings:**\n- **Workspace ID**: Found in the \""Overview\"" tab for the Log Analytics Workspace of the Microsoft Sentinel instance\n- **Tenant ID**: Obtained from the Entra App Registration overview page (listed as Directory ID)\n- **Client ID**: Obtained from the Entra App Registration overview page (listed as Application ID)\n- **Client Secret**: Obtained when the secret is created during the app registration process""}, {""title"": """", ""description"": ""**STEP 5 - Verify Deployment**\n\n1. The connector polls for indicator updates every 15 minutes.\n2. After the app performs its first run, review the indicators ingested by either viewing the \""Lumen Defender Threat Feed Overview\"" workbook or viewing the \""Threat Intelligence\"" section in Microsoft Sentinel. In Microsoft Sentinel \""Threat Intelligence\"", filter for source \""Lumen\"" to display only Lumen generated indicators.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions on the Log Analytics workspace are required."", ""providerDisplayName"": ""Log Analytics Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Azure Entra App Registration"", ""description"": ""An Azure Entra application registration with the Microsoft Sentinel Contributor role assigned is required for STIX Objects API access. [See the documentation to learn more about Azure Entra applications](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).""}, {""name"": ""Microsoft Sentinel Contributor Role"", ""description"": ""Microsoft Sentinel Contributor role is required for the Azure Entra application to upload threat intelligence indicators.""}, {""name"": ""Lumen Defender Threat Feed API Key"", ""description"": ""A Lumen Defender Threat Feed API Key is required for accessing threat intelligence data. [Contact Lumen for API access](mailto:DefenderThreatFeedSales@Lumen.com?subject=API%20Access%20Request).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen%20Defender%20Threat%20Feed/Data%20Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2_ConnectorUI.json","","Azure Function (TI Upload API)","Connector code uses Sentinel TI Upload Indicators API (api.ti.sentinel.azure.com)","","","","ThreatIntelIndicators.ObservableKey in ""domain-name:value,ipv4-addr:value"" | ThreatIntelIndicators.SourceSystem == ""Lumen""","false","Lumen Defender Threat Feed","false","","true","","","","STIX 2.1 Upload Indicators API","Connector code references STIX 2.1 Upload Indicators API endpoint (matched 'api.ti.sentinel.azure.com')","","" "LumenThreatFeedConnectorV2PrivateNetworking","Lumen Technologies, Inc.","Lumen Defender Threat Feed Data Connector V2 (using Azure Functions Flex Consumption Plan with Private Networking)","The [Lumen Defender Threat Feed](https://www.lumen.com/en-us/security/black-lotus-labs.html) connector provides the capability to ingest STIX-formatted threat intelligence indicators from Lumen's Black Lotus Labs research team into Microsoft Sentinel. The connector automatically downloads and uploads threat intelligence indicators including IPv4 addresses and domains to the ThreatIntelIndicators table via the STIX Objects Upload API.

**NOTE:** This data connector uses the [Azure Functions Flex Consumption Plan](https://learn.microsoft.com/azure/azure-functions/flex-consumption-plan) with VNet integration for secure, private network access to storage resources. More pricing details are [here](https://azure.microsoft.com/pricing/details/functions/#pricing).","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions with the Flex Consumption Plan to connect to the Lumen Defender Threat Feed API and upload threat intelligence indicators to Microsoft Sentinel via the STIX Objects API. The Flex Consumption Plan enables VNet integration for secure, private network access to storage resources. This might result in additional data ingestion and compute costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store API keys and secrets in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Functions App.""}, {""title"": ""Configuration"", ""description"": ""**STEP 1 - Network Prerequisites for Private Access**\n\n>**IMPORTANT:** When deploying with private storage account access, **you need a Virtual Network with two properly configured subnets.** You can either use an existing VNet or deploy one using the template below.\n\n**Option A: Deploy a New Virtual Network (Recommended for new deployments)**\n\nUse this template to create a properly configured VNet with two subnets:\n- **Function App Subnet**: Delegated to Microsoft.App/environments for Flex Consumption VNet integration\n- **Private Endpoint Subnet**: For storage account private endpoints\n\n[![Deploy VNet to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FLumen%2520Defender%2520Threat%2520Feed%2FData%2520Connectors%2FLumenThreatFeedv2%2Fazuredeploy_VNet_for_PrivateEndpoint.json)\n\nAfter deployment, note the following output values for use in STEP 5:\n- **VNet Name** (default: lumen-threatfeed-vnet)\n- **VNet Resource Group**\n- **Function App Subnet Name** (default: functionapp-subnet)\n- **Private Endpoint Subnet Name** (default: privateendpoint-subnet)\n\n**Option B: Use an Existing Virtual Network**\n\nIf using an existing VNet, ensure the following requirements are met:\n> - **Virtual Network**: Must be in the same region where you plan to deploy the Function App\n> - **Function App Subnet**: Must be delegated to **Microsoft.App/environments** (required for Flex Consumption Plan)\n> - **Private Endpoint Subnet**: Must NOT be delegated to any service\n> - **Subnet Size**: Minimum /24 recommended for each subnet\n> - **Subnet Delegation**: Configure using one of the following methods:\n> - **Azure Portal**: Virtual networks \u2192 Select VNet \u2192 Subnets \u2192 Select subnet \u2192 Delegate to **Microsoft.App/environments**\n> - **Azure CLI**: `az network vnet subnet update --resource-group --vnet-name --name --delegations Microsoft.App/environments`\n\n>**Note:** The connector deployment will automatically create private endpoints for storage services (blob, queue, table, file) and configure Private DNS zones.""}, {""title"": """", ""description"": ""**STEP 2 - Obtain Lumen Defender Threat Feed API Key**\n\n1. [Contact Lumen](mailto:DefenderThreatFeedSales@Lumen.com?subject=API%20Access%20Request) to obtain API access to our Threat Feed API service\n2. Obtain your API key for authentication.""}, {""title"": """", ""description"": ""**STEP 3 - Configure Azure Entra ID Application and gather information**\n\n1. Create a new Entra app registration from the **App registrations** tab in the Entra ID section of the Azure portal. [See the documentation for a guide to registering an application in Microsoft Entra ID.](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)\n2. Create a client secret and note the **Application ID**, **Tenant ID**, and **Client Secret**\n3. Assign the **Microsoft Sentinel Contributor** role to the newly registered application in the **Access control (IAM)** menu of your Microsoft Sentinel Log Analytics Workspace\n4. Make note of your **Workspace ID**, which can be obtained from the **overview** page of the Log Analytics Workspace for your Microsoft Sentinel instance."", ""instructions"": [{""parameters"": {""fillWith"": [""TenantId""], ""label"": ""Tenant ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**STEP 4 - Enable the **Threat Intelligence Upload Indicators API (Preview)** data connector in Microsoft Sentinel**\n\n1. Deploy the **Threat Intelligence (New) Solution**, which includes the **Threat Intelligence Upload Indicators API (Preview)**\n2. Browse to the Content Hub, find and select the **Threat Intelligence (NEW)** solution.\n3. Select the **Install/Update** button.""}, {""title"": """", ""description"": ""**STEP 5 - Deploy the Azure Function with Private Networking**\n\n>**IMPORTANT:** Before deploying the Lumen Defender Threat Feed connector, have the following information readily available:\n> - Tenant ID and Workspace ID\n> - Azure Entra application details (Client ID, Client Secret)\n> - Lumen API key\n> - Virtual Network name and Resource Group\n> - Function App Subnet name (delegated to Microsoft.App/environments)\n> - Private Endpoint Subnet name (non-delegated)\n\n1. Click the Deploy to Azure button.\n\n[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FLumen%2520Defender%2520Threat%2520Feed%2FData%2520Connectors%2FLumenThreatFeedv2%2Fazuredeploy_Connector_LumenThreatFeed_AzureFunction_v2_privateendpoint.json)\n\n2. Fill in the appropriate values for each parameter:\n\n**Basic Settings:**\n- **Subscription**: Confirm the correct subscription is selected or use the dropdown to change your selection\n- **Resource Group**: Select the resource group to be used by the Function App and related resources\n- **Function Name**: Enter a globally unique name for the Function App (11-character limit recommended)\n- **App Insights Workspace Resource ID**: The Resource ID of the Log Analytics Workspace for Application Insights (click **JSON View** on the Log Analytics workspace to copy)\n\n**Lumen API Settings:**\n- **Lumen API Key**: Obtain an API key through Lumen support\n- **Lumen Base URL**: Filled in automatically and should generally not be changed\n- **Confidence Threshold** (Optional): Minimum confidence score (60-100) for indicators (default: 60)\n- **Enable IPv4** (Optional): Enable IPv4 address indicators (default: true)\n- **Enable Domain** (Optional): Enable domain name indicators (default: true)\n\n**Azure Entra ID Settings:**\n- **Workspace ID**: Found in the \""Overview\"" tab for the Log Analytics Workspace of the Microsoft Sentinel instance\n- **Tenant ID**: Obtained from the Entra App Registration overview page (listed as Directory ID)\n- **Client ID**: Obtained from the Entra App Registration overview page (listed as Application ID)\n- **Client Secret**: Obtained when the secret is created during the app registration process\n\n**Private Networking Settings:**\n- **VNet Resource Group Name**: The resource group containing the Virtual Network (if using the VNet template from STEP 1, this is where you deployed it)\n- **VNet Name**: The name of the Virtual Network (default from VNet template: lumen-threatfeed-vnet)\n- **Function App Subnet Name**: The subnet delegated to Microsoft.App/environments (default from VNet template: functionapp-subnet)\n- **Private Endpoint Subnet Name**: The subnet for private endpoints (default from VNet template: privateendpoint-subnet)\n- **Create Private DNS Zones**: Set to true to create new Private DNS Zones, or false to use existing ones\n\n>**Note:** Ensure the Function App subnet is delegated to Microsoft.App/environments before deployment. The deployment will create private endpoints for storage account services and configure Private DNS zones automatically.""}, {""title"": """", ""description"": ""**STEP 6 - Verify Deployment**\n\n1. The connector polls for indicator updates every 15 minutes.\n2. Verify that the Function App is properly integrated with the Virtual Network by checking the Networking settings in the Azure Portal\n3. Confirm that private endpoints were created for the storage account services (blob, file, queue, table)\n4. After the app performs its first run, review the indicators ingested by either viewing the \""Lumen Defender Threat Feed Overview\"" workbook or viewing the \""Threat Intelligence\"" section in Microsoft Sentinel. In Microsoft Sentinel \""Threat Intelligence\"", filter for source \""Lumen\"" to display only Lumen generated indicators.""}, {""title"": """", ""description"": ""**Troubleshooting Private Networking Issues**\n\nIf the Function App is not receiving data after deployment:\n\n1. **Check VNet Integration**: Navigate to Function App \u2192 Networking \u2192 VNet integration and verify the Function App subnet is connected\n2. **Verify Private Endpoints**: Navigate to the storage account \u2192 Networking \u2192 Private endpoint connections and verify all endpoints are in \""Approved\"" state\n3. **Check DNS Resolution**: Ensure private DNS zones are properly linked to the VNet for storage account resolution\n4. **Review Function Logs**: Check Application Insights or Function App logs for connection errors\n5. **Subnet Delegation**: Confirm the Function App subnet is delegated to **Microsoft.App/environments** (required for Flex Consumption Plan)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions on the Log Analytics workspace are required."", ""providerDisplayName"": ""Log Analytics Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Azure Entra App Registration"", ""description"": ""An Azure Entra application registration with the Microsoft Sentinel Contributor role assigned is required for STIX Objects API access. [See the documentation to learn more about Azure Entra applications](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app).""}, {""name"": ""Microsoft Sentinel Contributor Role"", ""description"": ""Microsoft Sentinel Contributor role is required for the Azure Entra application to upload threat intelligence indicators.""}, {""name"": ""Lumen Defender Threat Feed API Key"", ""description"": ""A Lumen Defender Threat Feed API Key is required for accessing threat intelligence data. [Contact Lumen for API access](mailto:DefenderThreatFeedSales@Lumen.com?subject=API%20Access%20Request).""}, {""name"": ""Virtual Network permissions (for private access)"", ""description"": ""For private storage account access, **Network Contributor** permissions are required on the Virtual Network and subnets. The Function App subnet must be delegated to **Microsoft.App/environments** for Flex Consumption VNet integration.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen%20Defender%20Threat%20Feed/Data%20Connectors/LumenThreatFeedv2/LumenThreatFeedConnectorV2_PrivateNetworking_ConnectorUI.json","","Azure Function (TI Upload API)","Connector code uses Sentinel TI Upload Indicators API (api.ti.sentinel.azure.com)","","","","ThreatIntelIndicators.ObservableKey in ""domain-name:value,ipv4-addr:value"" | ThreatIntelIndicators.SourceSystem == ""Lumen""","false","Lumen Defender Threat Feed","false","","true","","","","STIX 2.1 Upload Indicators API","Connector code references STIX 2.1 Upload Indicators API endpoint (matched 'api.ti.sentinel.azure.com')","","" -"M365Assets","Microsoft","Microsoft 365 Assets (formerly, Office 365)","The Microsoft 365 (formerly, Office 365) asset connector gives richer insights into ongoing user activities in Microsoft Sentinel by supplementing activity logs with details such as owners, permissions, retention policies and sensitivity labels.

Data from this connector is used to build data risk graphs in Purview. If you've enabled those graphs, deactivating this connector will prevent the graphs from being built. [Learn about the data risk graph](https://go.microsoft.com/fwlink/?linkid=2320023).

This connector is in limited private preview.","[{""instructions"": [{""parameters"": {""type"": ""M365Assets"", ""description"": ""1.Connect Microsoft 365 assets (formerly, Office 365) to Microsoft Sentinel."", ""items"": [{""label"": ""SharePoint and OneDrive""}]}, ""type"": ""MSG""}]}]","{""tenant"": [""GlobalAdmin"", ""SecurityAdmin""], ""customs"": [{""name"": ""OfficeActivity table availability"", ""description"": ""Enable the OfficeActivity table in Log Analytics.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Assets/Data%20Connectors/M365Asset_DataConnectorDefinition.json","","Native","Microsoft native integration","","","","","false","Microsoft 365 Assets","false","","true","","","","","","","" +"M365Assets","Microsoft","Microsoft 365 Assets (formerly, Office 365)","The Microsoft 365 (formerly, Office 365) asset connector gives richer insights into ongoing user activities in Microsoft Sentinel by supplementing activity logs with details such as owners, permissions, retention policies and sensitivity labels.

Data from this connector is used to build data risk graphs in Purview. If you've enabled those graphs, deactivating this connector will prevent the graphs from being built. [Learn about the data risk graph](https://go.microsoft.com/fwlink/?linkid=2320023).

This connector is in limited private preview.","[{""instructions"": [{""parameters"": {""type"": ""M365Assets"", ""description"": ""1.Connect Microsoft 365 assets (formerly, Office 365) to Microsoft Sentinel."", ""items"": [{""label"": ""SharePoint and OneDrive""}]}, ""type"": ""MSG""}]}]","{""tenant"": [""GlobalAdmin"", ""SecurityAdmin""], ""customs"": [{""name"": ""OfficeActivity table availability"", ""description"": ""Enable the OfficeActivity table in Log Analytics.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Assets/Data%20Connectors/M365Asset_DataConnectorDefinition.json","","Native","Microsoft native integration","","","","","false","Microsoft 365 Assets","false","","false","","","","","","","" +"M365AuditDLPCCPDefinition","Marko Lauren","Microsoft 365 Audit.DLP","Microsoft 365 Audit.DLP connector ingests **DLP events for all workloads** from the Office 365 Management Activity API.

Data is ingested to the same **M365AuditGeneral_CL** table with **321 columns** including dedicated DLP schema fields.

**Prerequisites:** Entra ID app with Office 365 Management API permissions and DLP.All subscription.","[{""title"": ""1. Register an Entra ID Application"", ""description"": ""\u26a0\ufe0f If you already have an app from the Audit.General connector, you can **reuse the same app**. Otherwise:\n\n1. Go to **Microsoft Entra ID** > **App registrations** > **New registration**\n2. Name: `Sentinel-M365Audit` (or your preferred name)\n3. **Supported account types**: Accounts in this organizational directory only\n4. Click **Register**\n5. Note the **Application (client) ID** - you'll need this later\n6. Go to **Certificates & secrets** > **New client secret**\n7. Add a description, set expiration, click **Add**\n8. **Copy the secret Value immediately** - it won't be shown again""}, {""title"": ""2. Configure API Permissions"", ""description"": ""\u26a0\ufe0f Audit.DLP requires **ActivityFeed.ReadDlp** permission (different from Audit.General which needs ActivityFeed.Read).\n\n1. In your app registration, go to **API permissions** > **Add a permission**\n2. Select **Office 365 Management APIs**\n3. Choose **Application permissions**\n4. Select **ActivityFeed.ReadDlp**\n5. Click **Add permissions**\n6. Click **Grant admin consent** for your tenant\n7. Verify the permission shows as **Granted**\n\nNote: If sharing the same app with Audit.General connector, add both ActivityFeed.Read and ActivityFeed.ReadDlp permissions.""}, {""title"": ""3. Subscribe to DLP.All Content"", ""description"": ""[concat('Run this PowerShell script to subscribe to the DLP.All content type (required before data flows):\n\n```powershell\n# Replace with your values\n$tenantId = ''YOUR_TENANT_ID''\n$clientId = ''YOUR_CLIENT_ID''\n$clientSecret = ''YOUR_CLIENT_SECRET''\n$publisherId = $tenantId # Publisher identifier is your tenant ID\n\n# Get OAuth token\n$body = @{\n grant_type = ''client_credentials''\n client_id = $clientId\n client_secret = $clientSecret\n resource = ''https://manage.office.com''\n}\n$tokenResponse = Invoke-RestMethod -Method Post -Uri \""', environment().authentication.loginEndpoint, '$tenantId/oauth2/token\"" -Body $body\n$token = $tokenResponse.access_token\n\n# Start subscription\n$headers = @{Authorization = \""Bearer $token\""}\n$subscribeUri = \""https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=DLP.All&PublisherIdentifier=$publisherId\""\nInvoke-RestMethod -Method Post -Uri $subscribeUri -Headers $headers\n```')]""}, {""title"": ""4. Connect the Data Connector"", ""description"": ""Provide your Entra ID application credentials below. You can use the **same app credentials** as the Audit.General connector. The connector will automatically use your subscription's tenant ID for authentication and API calls."", ""instructions"": [{""type"": ""OAuthForm"", ""parameters"": {""clientIdLabel"": ""Application (Client) ID"", ""clientSecretLabel"": ""Client Secret Value"", ""connectButtonLabel"": ""Connect"", ""disconnectButtonLabel"": ""Disconnect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Office 365 Management API credentials"", ""description"": ""An Entra ID application registration with **Client ID** and **Client Secret**. The application must have **Office 365 Management APIs - ActivityFeed.Read** permission and an active subscription to the **DLP.All** content type. You can reuse the same app as the Audit.General connector.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Audit%20General%20and%20DLP/Data%20Connectors/M365AuditDLP_CCF/M365AuditDLP_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Microsoft 365 Audit General and DLP","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Audit%20General%20and%20DLP/Data%20Connectors/M365AuditDLP_CCF/M365Audit_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Audit%20General%20and%20DLP/Data%20Connectors/M365AuditDLP_CCF/M365AuditDLP_PollerConfig.json","OAuth2;Paging;Nested","","","","" +"M365AuditGeneralCCPDefinition","Marko Lauren","Microsoft 365 Audit.General","Microsoft 365 Audit.General connector ingests **all SharePoint, Exchange, Teams, and Azure Active Directory events** from the Office 365 Management Activity API.

Data is ingested to a custom **M365AuditGeneral_CL** table with **321 columns** supporting all Office 365 record types and workloads.

**Prerequisites:** Entra ID app with Office 365 Management API permissions and Audit.General subscription.","[{""title"": ""1. Register an Entra ID Application"", ""description"": ""1. Go to **Microsoft Entra ID** > **App registrations** > **New registration**\n2. Name: `Sentinel-M365Audit` (or your preferred name)\n3. **Supported account types**: Accounts in this organizational directory only\n4. Click **Register**\n5. Note the **Application (client) ID** - you'll need this later\n6. Go to **Certificates & secrets** > **New client secret**\n7. Add a description, set expiration, click **Add**\n8. **Copy the secret Value immediately** - it won't be shown again""}, {""title"": ""2. Configure API Permissions"", ""description"": ""1. In your app registration, go to **API permissions** > **Add a permission**\n2. Select **Office 365 Management APIs**\n3. Choose **Application permissions**\n4. Select **ActivityFeed.Read**\n5. Click **Add permissions**\n6. Click **Grant admin consent** for your tenant\n7. Verify the permission shows as **Granted**""}, {""title"": ""3. Subscribe to Audit.General Content"", ""description"": ""[concat('Run this PowerShell script to subscribe to the Audit.General content type (required before data flows):\n\n```powershell\n# Replace with your values\n$tenantId = ''YOUR_TENANT_ID''\n$clientId = ''YOUR_CLIENT_ID''\n$clientSecret = ''YOUR_CLIENT_SECRET''\n$publisherId = $tenantId # Publisher identifier is your tenant ID\n\n# Get OAuth token\n$body = @{\n grant_type = ''client_credentials''\n client_id = $clientId\n client_secret = $clientSecret\n resource = ''https://manage.office.com''\n}\n$tokenResponse = Invoke-RestMethod -Method Post -Uri \""', environment().authentication.loginEndpoint, '$tenantId/oauth2/token\"" -Body $body\n$token = $tokenResponse.access_token\n\n# Start subscription\n$headers = @{Authorization = \""Bearer $token\""}\n$subscribeUri = \""https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=Audit.General&PublisherIdentifier=$publisherId\""\nInvoke-RestMethod -Method Post -Uri $subscribeUri -Headers $headers\n```')]""}, {""title"": ""4. Connect the Data Connector"", ""description"": ""Provide your Entra ID application credentials below. The connector will automatically use your subscription's tenant ID for authentication and API calls."", ""instructions"": [{""type"": ""OAuthForm"", ""parameters"": {""clientIdLabel"": ""Application (Client) ID"", ""clientSecretLabel"": ""Client Secret Value"", ""connectButtonLabel"": ""Connect"", ""disconnectButtonLabel"": ""Disconnect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Office 365 Management API credentials"", ""description"": ""An Entra ID application registration with **Client ID** and **Client Secret**. The application must have **Office 365 Management APIs - ActivityFeed.Read** permission and an active subscription to the **Audit.General** content type.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Audit%20General%20and%20DLP/Data%20Connectors/M365AuditGeneral_CCF/M365AuditGeneral_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Microsoft 365 Audit General and DLP","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Audit%20General%20and%20DLP/Data%20Connectors/M365AuditGeneral_CCF/M365Audit_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Audit%20General%20and%20DLP/Data%20Connectors/M365AuditGeneral_CCF/M365AuditGeneral_PollerConfig.json","OAuth2;Paging;Nested","","","","" "MISP2SentinelConnector","MISP project & cudeso.be","MISP2Sentinel","This solution installs the MISP2Sentinel connector that allows you to automatically push threat indicators from MISP to Microsoft Sentinel via the Upload Indicators REST API. After installing the solution, configure and enable this data connector by following guidance in Manage solution view.","[{""title"": ""Installation and setup instructions"", ""description"": ""Use the documentation from this GitHub repository to install and configure the MISP to Microsoft Sentinel connector: \n\nhttps://github.com/cudeso/misp2sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.SecurityInsights/threatintelligence/write"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MISP2Sentinel/Data%20Connectors/MISP2SentinelConnector_UploadIndicatorsAPI.json","","Azure Function (TI Upload API)","Connector definition filename suffix '_UploadIndicatorsAPI' indicates Sentinel STIX Upload Indicators API ingestion","","","","ThreatIntelIndicators.SourceSystem == ""MISP""","false","MISP2Sentinel","false","","true","","","","STIX 2.1 Upload Indicators API","Connector definition filename suffix '_UploadIndicatorsAPI' indicates STIX 2.1 Upload Indicators API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#misp2sentinel" -"MailGuard365","MailGuard365","MailGuard 365","MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks.","[{""title"": ""Configure and connect MailGuard 365"", ""description"": ""1. In the MailGuard 365 Console, click **Settings** on the navigation bar.\n2. Click the **Integrations** tab.\n3. Click the **Enable Microsoft Sentinel**.\n4. Enter your workspace id and primary key from the fields below, click **Finish**.\n5. For additional instructions, please contact MailGuard 365 support."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MailGuard%20365/Data%20Connectors/MailGuard365.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","true","MailGuard 365","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#mailguard-365" +"MailGuard365","MailGuard365","MailGuard 365","MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks.","[{""title"": ""Configure and connect MailGuard 365"", ""description"": ""1. In the MailGuard 365 Console, click **Settings** on the navigation bar.\n2. Click the **Integrations** tab.\n3. Click the **Enable Microsoft Sentinel**.\n4. Enter your workspace id and primary key from the fields below, click **Finish**.\n5. For additional instructions, please contact MailGuard 365 support."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MailGuard%20365/Data%20Connectors/MailGuard365.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","MailGuard 365","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#mailguard-365" "MarkLogic","MarkLogic","[Deprecated] MarkLogic Audit","MarkLogic data connector provides the capability to ingest [MarkLogicAudit](https://www.marklogic.com/) logs into Microsoft Sentinel. Refer to [MarkLogic documentation](https://docs.marklogic.com/guide/getting-started) for more information.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias MarkLogicAudit and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MarkLogicAudit/Parsers/MarkLogicAudit.txt) on the second line of the query, enter the hostname(s) of your MarkLogicAudit device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Tomcat Server where the logs are generated.\n\n> Logs from MarkLogic Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure MarkLogicAudit to enable auditing"", ""description"": ""Perform the following steps to enable auditing for a group:\n\n>Access the Admin Interface with a browser;\n\n>Open the Audit Configuration screen (Groups > group_name > Auditing);\n\n>Select True for the Audit Enabled radio button;\n\n>Configure any audit events and/or audit restrictions you want;\n\n>Click OK.\n\n Refer to the [MarkLogic documentation for more details](https://docs.marklogic.com/guide/admin/auditing)""}, {""title"": ""3. Configure the logs to be collected"", ""description"": ""Configure the custom log directory to be collected"", ""instructions"": [{""parameters"": {""linkType"": ""OpenCustomLogsSettings""}, ""type"": ""InstallAgent""}]}, {""title"": """", ""description"": ""1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Settings**, select **Custom Logs** and click **+Add custom log**\n3. Click **Browse** to upload a sample of a MarkLogicAudit log file. Then, click **Next >**\n4. Select **Timestamp** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to MarkLogicAudit logs based on your configuration \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **MarkLogicAudit** as the custom log Name (the '_CL' suffix will be added automatically) and click **Done**.""}, {""title"": ""Validate connectivity"", ""description"": ""It may take upwards of 20 minutes until your logs start to appear in Microsoft Sentinel.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MarkLogicAudit/DataConnectors/Connector_MarkLogicAudit.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","","true","MarkLogicAudit","true","","true","","","","","","","" -"McAfeeNSP","McAfee","[Deprecated] McAfee Network Security Platform","The [McAfee® Network Security Platform](https://www.mcafee.com/enterprise/en-us/products/network-security-platform.html) data connector provides the capability to ingest [McAfee® Network Security Platform events](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-integration-guide-unmanaged/page/GUID-8C706BE9-6AC9-4641-8A53-8910B51207D8.html) into Microsoft Sentinel. Refer to [McAfee® Network Security Platform](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-integration-guide-unmanaged/page/GUID-F7D281EC-1CC9-4962-A7A3-5A9D9584670E.html) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**McAfeeNSPEvent**](https://aka.ms/sentinel-mcafeensp-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using McAfee\u00ae Network Security Platform version: 10.1.x"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Server where the McAfee\u00ae Network Security Platform logs are forwarded.\n\n> Logs from McAfee\u00ae Network Security Platform Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure McAfee\u00ae Network Security Platform event forwarding"", ""description"": ""Follow the configuration steps below to get McAfee\u00ae Network Security Platform logs into Microsoft Sentinel.\n1. [Follow these instructions](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-E4A687B0-FAFB-4170-AC94-1D968A10380F.html) to forward alerts from the Manager to a syslog server.\n2. Add a syslog notification profile, [more details here](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-5BADD5D7-21AE-4E3B-AEE2-A079F3FD6A38.html). This is mandatory. While creating profile, to make sure that events are formatted correctly, enter the following text in the Message text box:\n\t\t:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID\n\t\t|ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE\n\t\t|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_CATEGORY\n\t\t|DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20Network%20Security%20Platform/Data%20Connectors/McAfeeNSP.json","","AMA","Syslog with agent installation (no AMA)","","","","Syslog.ProcessName == ""SyslogAlertForwarderNSP""","true","McAfee Network Security Platform","true","","true","","","","","","","" -"McAfeeePO","McAfee","[Deprecated] McAfee ePolicy Orchestrator (ePO)","The McAfee ePolicy Orchestrator data connector provides the capability to ingest [McAfee ePO](https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html) events into Microsoft Sentinel through the syslog. Refer to [documentation](https://docs.mcafee.com/bundle/epolicy-orchestrator-landing/page/GUID-0C40020F-5B7F-4549-B9CC-0E017BC8797F.html) for more information.","[{""title"": """", ""description"": "">This data connector depends on a parser based on a Kusto Function to work as expected [**McAfeeEPOEvent**](https://aka.ms/sentinel-McAfeeePO-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure McAfee ePolicy Orchestrator event forwarding to Syslog server"", ""description"": ""[Follow these instructions](https://kcm.trellix.com/corporate/index?page=content&id=KB87927) to add register syslog server.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator/Data%20Connectors/Connector_McAfee_ePO.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName contains ""EPOEvents"" | Syslog.SyslogMessage contains """" | Syslog.SyslogMessage contains """"","true","McAfee ePolicy Orchestrator","true","","true","","","","","","","" +"McAfeeNSP","McAfee","[Deprecated] McAfee Network Security Platform","The [McAfee® Network Security Platform](https://www.mcafee.com/enterprise/en-us/products/network-security-platform.html) data connector provides the capability to ingest [McAfee® Network Security Platform events](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-integration-guide-unmanaged/page/GUID-8C706BE9-6AC9-4641-8A53-8910B51207D8.html) into Microsoft Sentinel. Refer to [McAfee® Network Security Platform](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-integration-guide-unmanaged/page/GUID-F7D281EC-1CC9-4962-A7A3-5A9D9584670E.html) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**McAfeeNSPEvent**](https://aka.ms/sentinel-mcafeensp-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using McAfee\u00ae Network Security Platform version: 10.1.x"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Server where the McAfee\u00ae Network Security Platform logs are forwarded.\n\n> Logs from McAfee\u00ae Network Security Platform Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure McAfee\u00ae Network Security Platform event forwarding"", ""description"": ""Follow the configuration steps below to get McAfee\u00ae Network Security Platform logs into Microsoft Sentinel.\n1. [Follow these instructions](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-E4A687B0-FAFB-4170-AC94-1D968A10380F.html) to forward alerts from the Manager to a syslog server.\n2. Add a syslog notification profile, [more details here](https://docs.mcafee.com/bundle/network-security-platform-10.1.x-product-guide/page/GUID-5BADD5D7-21AE-4E3B-AEE2-A079F3FD6A38.html). This is mandatory. While creating profile, to make sure that events are formatted correctly, enter the following text in the Message text box:\n\t\t:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID\n\t\t|ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE\n\t\t|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_CATEGORY\n\t\t|DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20Network%20Security%20Platform/Data%20Connectors/McAfeeNSP.json","","AMA","Syslog with agent installation (no AMA)","","","","Syslog.ProcessName == ""SyslogAlertForwarderNSP""","true","McAfee Network Security Platform","true","","false","","","","","","","" +"McAfeeePO","McAfee","[Deprecated] McAfee ePolicy Orchestrator (ePO)","The McAfee ePolicy Orchestrator data connector provides the capability to ingest [McAfee ePO](https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html) events into Microsoft Sentinel through the syslog. Refer to [documentation](https://docs.mcafee.com/bundle/epolicy-orchestrator-landing/page/GUID-0C40020F-5B7F-4549-B9CC-0E017BC8797F.html) for more information.","[{""title"": """", ""description"": "">This data connector depends on a parser based on a Kusto Function to work as expected [**McAfeeEPOEvent**](https://aka.ms/sentinel-McAfeeePO-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure McAfee ePolicy Orchestrator event forwarding to Syslog server"", ""description"": ""[Follow these instructions](https://kcm.trellix.com/corporate/index?page=content&id=KB87927) to add register syslog server.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator/Data%20Connectors/Connector_McAfee_ePO.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName contains ""EPOEvents"" | Syslog.SyslogMessage contains """" | Syslog.SyslogMessage contains """"","true","McAfee ePolicy Orchestrator","true","","false","","","","","","","" "MicrosoftAzurePurview","Microsoft","Microsoft Purview","Connect to Microsoft Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Microsoft Purview scans can be ingested and visualized through workbooks, analytical rules, and more. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2224125&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).","[{""title"": ""Connect Microsoft Purview to Microsoft Sentinel"", ""description"": ""Within the Azure Portal, navigate to your Purview resource:\n 1. In the search bar, search for **Purview accounts.**\n 2. Select the specific account that you would like to be set up with Sentinel.\n\nInside your Microsoft Purview resource:\n 3. Select **Diagnostic Settings.**\n 4. Select **+ Add diagnostic setting.**\n 5. In the **Diagnostic setting** blade:\n - Select the Log Category as **DataSensitivityLogEvent**.\n - Select **Send to Log Analytics**.\n - Chose the log destination workspace. This should be the same workspace that is used by **Microsoft Sentinel.**\n - Click **Save**."", ""instructions"": []}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Microsoft Purview account Owner or Contributor role to set up Diagnostic Settings. Microsoft Contributor role with write permissions to enable data connector, view workbook, and create analytic rules."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Purview/Data%20Connectors/MicrosoftPurview.json","","Azure Diagnostics","References Azure Diagnostics","","","","PurviewDataSensitivityLogs.Classification has ""Social Security Number""","false","Microsoft Purview","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview" "MicrosoftCloudAppSecurity","Microsoft","Microsoft Defender for Cloud Apps","By connecting with [Microsoft Defender for Cloud Apps](https://aka.ms/asi-mcas-connector-description) you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.

- Identify shadow IT cloud apps on your network.
- Control and limit access based on conditions and session context.
- Use built-in or custom policies for data sharing and data loss prevention.
- Identify high-risk use and get alerts for unusual user activities with Microsoft behavioral analytics and anomaly detection capabilities, including ransomware activity, impossible travel, suspicious email forwarding rules, and mass download of files.
- Mass download of files

[Deploy now >](https://aka.ms/asi-mcas-connector-deploynow)","[{""title"": ""Connect Microsoft Defender for Cloud Apps to Microsoft Sentinel"", ""description"": ""In the Microsoft Defender for Cloud Apps portal, under Settings, select Security extensions and then SIEM and set Microsoft Sentinel as your SIEM agent. For more information, see [Microsoft Defender for Cloud Apps](https://aka.ms/azuresentinelmcas) .\n\nAfter you connect Microsoft Defender for Cloud Apps, the alerts and discovery logs are sent to this Microsoft Sentinel workspace.\u200b"", ""instructions"": [{""parameters"": {""connectorKind"": ""MicrosoftCloudAppSecurity"", ""dataTypes"": [{""title"": ""Alerts"", ""name"": ""alerts""}, {""title"": ""Cloud Discovery Logs (Preview)"", ""name"": ""discoveryLogs""}]}, ""type"": ""MCasDataTypes""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}], ""tenant"": [""GlobalAdmin"", ""SecurityAdmin""], ""licenses"": [""Mcas""]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20for%20Cloud%20Apps/Data%20Connectors/MicrosoftCloudAppSecurity.JSON","","Unknown","Method not detected","","","","SecurityAlert.ProductName == ""Microsoft Cloud App Security""","false","Microsoft Defender for Cloud Apps","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud-apps" "MicrosoftCopilot","Microsoft","Microsoft Copilot","The Microsoft Copilot logs connector in Microsoft Sentinel enables seamless ingestion of Copilot-generated activity logs from M365 Copilot and Security Copilot into Microsoft Sentinel for advanced threat detection, investigation and response. It collects telemetry from Microsoft Copilot services such as usage data and system responses and ingests into Microsoft Sentinel, allowing security teams to monitor for misuse, detect anomalies, and maintain compliance with organizational policies.","[{""title"": ""Connect Microsoft Copilot audit logs to Microsoft Sentinel"", ""description"": ""This connector uses the Office Management API to get your Microsoft Copilot audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **CopilotActivity** table."", ""instructions"": [{""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""Tenant Permissions"", ""description"": ""'Security Administrator' or 'Global Administrator' on the workspace's tenant.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Copilot/Data%20Connectors/MicrosoftCopilot_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Microsoft Copilot","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Copilot/Data%20Connectors/MicrosoftCopilot_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Copilot/Data%20Connectors/MicrosoftCopilot_PollingConfig.json","PurviewAudit","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-copilot" @@ -376,7 +382,7 @@ "MicrosoftPowerAutomate","Microsoft","Microsoft Power Automate","Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.","[{""title"": ""Connect Microsoft Power Automate audit logs to Microsoft Sentinel"", ""description"": ""This connector uses the Office Management API to get your Power Automate audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerAutomateActivity** table."", ""instructions"": [{""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Tenant Permissions"", ""description"": ""'Security Administrator' or 'Global Administrator' on the workspace's tenant.""}, {""name"": ""Micorosft Purview Audit"", ""description"": ""Microsoft Purview Audit (Standard or Premium) must be activated.""}]}","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Business%20Applications/Package/mainTemplate.json","","Unknown","Method not detected","","","","","false","Microsoft Business Applications","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-power-automate" "MicrosoftPowerPlatformAdminActivity","Microsoft","Microsoft Power Platform Admin Activity","Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.","[{""title"": ""Connect Microsoft Power Platform Admin Activity audit logs to Microsoft Sentinel"", ""description"": ""This connector uses the Office Management API to get your Power Platform administrator audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerPlatformAdminActivity** table."", ""instructions"": [{""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Tenant Permissions"", ""description"": ""'Security Administrator' or 'Global Administrator' on the workspace's tenant.""}, {""name"": ""Micorosft Purview Audit"", ""description"": ""Microsoft Purview Audit (Standard or Premium) must be activated.""}]}","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Business%20Applications/Package/mainTemplate.json","","Unknown","Method not detected","","","","","false","Microsoft Business Applications","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-power-platform-admin-activity" "MicrosoftPurviewInformationProtection","Microsoft","Microsoft Purview Information Protection","Microsoft Purview Information Protection helps you discover, classify, protect, and govern sensitive information wherever it lives or travels. Using these capabilities enable you to know your data, identify items that are sensitive and gain visibility into how they are being used to better protect your data. Sensitivity labels are the foundational capability that provide protection actions, applying encryption, access restrictions and visual markings.
Integrate Microsoft Purview Information Protection logs with Microsoft Sentinel to view dashboards, create custom alerts and improve investigation. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223811&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).","[{""title"": ""Connect Microsoft Purview Information Protection audit logs to Microsoft Sentinel"", ""instructions"": [{""parameters"": {""connectorKind"": ""MicrosoftPurviewInformationProtection"", ""title"": """", ""enable"": true}, ""type"": ""SentinelResourceProvider""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}], ""tenant"": [""GlobalAdmin"", ""SecurityAdmin""], ""customs"": [{""name"": ""License"", ""description"": ""Enterprise Mobility + Security E5/A5 or Microsoft 365 E5/A5 or P2""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Purview%20Information%20Protection/Data%20Connectors/MicrosoftPurviewInformationProtection.json","","Native","Uses SentinelKinds (Native integration)","","","","","false","Microsoft Purview Information Protection","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-purview-information-protection" -"MicrosoftSentinelSAP","Microsoft","Microsoft Sentinel for SAP","The Microsoft Sentinel solution for SAP allows you to monitor SAP systems and detect sophisticated threats throughout the business logic and application layers. The solution includes the Microsoft Sentinel for SAP data connector which collects logs from across the entire SAP system landscape using a containerized agent.","","","false","","","Unknown","Method not detected","","","","","false","SAP","false","","false","","","","","","","" +"MicrosoftSentinelSAP","Microsoft","Microsoft Sentinel for SAP","The Microsoft Sentinel solution for SAP allows you to monitor SAP systems and detect sophisticated threats throughout the business logic and application layers. The solution includes the Microsoft Sentinel for SAP data connector which collects logs from across the entire SAP system landscape using a containerized agent.","","","false","","","Unknown","Method not detected","","","","","false","SAP","false","","true","","","","","","","" "MicrosoftSysmonForLinux","Microsoft","[Deprecated] Microsoft Sysmon For Linux","[Sysmon for Linux](https://github.com/Sysinternals/SysmonForLinux) provides detailed information about process creations, network connections and other system events.
[Sysmon for linux link:]. The Sysmon for Linux connector uses [Syslog](https://aka.ms/sysLogInfo) as its data ingestion method. This solution depends on ASIM to work as expected. [Deploy ASIM](https://aka.ms/DeployASIM) to get the full value from the solution.","[{""title"": """", ""description"": "">This data connector depends on ASIM parsers based on a Kusto Functions to work as expected. [Deploy the parsers](https://aka.ms/ASimSysmonForLinuxARM) \n\n The following functions will be deployed:\n\n - vimFileEventLinuxSysmonFileCreated, vimFileEventLinuxSysmonFileDeleted\n\n - vimProcessCreateLinuxSysmon, vimProcessTerminateLinuxSysmon\n\n - vimNetworkSessionLinuxSysmon \n\n[Read more](https://aka.ms/AboutASIM)"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n\n1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n2. Select **Apply below configuration to my machines** and select the facilities and severities.\n3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Sysmon%20For%20Linux/Data%20Connectors/SysmonForLinux.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName == ""sysmon""","false","Microsoft Sysmon For Linux","true","","true","","","","","","","" "MicrosoftThreatProtection","Microsoft","Microsoft Defender XDR","Microsoft Defender XDR is a unified, natively integrated, pre- and post-breach enterprise defense suite that protects endpoint, identity, email, and applications and helps you detect, prevent, investigate, and automatically respond to sophisticated threats.

Microsoft Defender XDR suite includes:
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Threat & Vulnerability Management
- Microsoft Defender for Cloud Apps

For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2220004&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).","[{""title"": ""Connect incidents & alerts"", ""description"": ""Connect Microsoft Defender XDR incidents to your Microsoft Sentinel. Incidents will appear in the incidents queue."", ""isComingSoon"": false, ""bottomBorder"": true, ""instructions"": [{""parameters"": {}, ""type"": ""MicrosoftThreatProtection""}]}, {""title"": ""Connect events"", ""instructions"": [{""parameters"": {}, ""type"": ""MicrosoftDefenderATPEvents""}]}]","{""tenant"": [""GlobalAdmin"", ""SecurityAdmin""], ""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""License"", ""description"": ""M365 E5, M365 A5 or any other Microsoft Defender XDR eligible license.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Data%20Connectors/MicrosoftThreatProtection.JSON","","Native","Uses SentinelKinds (Native integration)","","","","DeviceRegistryEvents.ActionType == ""RegistryValueSet"" | SecurityAlert.ProductName in ""Azure Advanced Threat Protection,Microsoft 365 Defender,Microsoft Cloud App Security,Microsoft Defender Advanced Threat Protection,Office 365 Advanced Threat Protection"" | SecurityAlert.ProviderName == ""Microsoft 365 Defender""","false","Microsoft Defender XDR","false","","true","","","","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#microsoft-defender-xdr" "MimecastATAPI","Mimecast","Mimecast Awareness Training","The data connector for [Mimecast Awareness Training](https://integrations.mimecast.com/tech-partners/microsoft-sentinel/) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.
The Mimecast products included within the connector are:
- Performance Details
- Safe Score Details
- User Data
- Watchlist Details
","[{""title"": ""Resource group"", ""description"": ""You need to have a resource group created with a subscription you are going to use.""}, {""title"": ""Functions app"", ""description"": ""You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret\n5. Entra Object ID""}, {""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of Mimecast Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)""}, {""title"": """", ""description"": ""**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of Mimecast Data Connector. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of Mimecast Data Connector. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)""}, {""title"": """", ""description"": ""**STEP 3 - Get Object ID of your application in Microsoft Entra ID**\n\n After creating your app registration, follow the steps in this section to get Object ID:\n 1. Go to **Microsoft Entra ID**.\n 2. Select **Enterprise applications** from the left menu.\n 3. Find your newly created application in the list (you can search by the name you provided).\n 4. Click on the application.\n 5. On the overview page, copy the **Object ID**. This is the **AzureEntraObjectId** needed for your ARM template role assignment.\n""}, {""title"": """", ""description"": ""**STEP 4 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Mimecast API authorization key(s) or Token, readily available.""}, {""title"": ""Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Mimecast Awareness Training Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAT-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-MimecastAT-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\n\t a. Location - The location in which the data collection rules and data collection endpoints should be deployed\n\n\t b. WorkspaceName - Enter Microsoft Sentinel Workspace Name of Log Analytics workspace\n\n\t c. AzureClientID - Enter Azure Client ID that you have created during app registration\n\n\t d. AzureClientSecret - Enter Azure Client Secret that you have created during creating the client secret\n\n\t e. AzureTenantID - Enter Azure Tenant ID of your Azure Active Directory\n\n\t f. AzureEntraObjectID - Enter Object id of your Microsoft Entra App\n\n\t g. MimecastBaseURL - Enter Base URL of Mimecast API 2.0 (e.g. https://api.services.mimecast.com)\n\n\t h. MimecastClientID - Enter Mimecast Client ID for authentication\n\n\t i. MimecastClientSecret - Enter Mimecast Client Secret for authentication\n\n\t j. MimecastAwarenessPerformanceDetailsTableName - Enter name of the table used to store Awareness Performance Details data. Default is 'Awareness_Performance_Details'\n\n\t k. MimecastAwarenessUserDataTableName - Enter name of the table used to store Awareness User Data data. Default is 'Awareness_User_Data'\n\n\t l. MimecastAwarenessWatchlistDetailsTableName - Enter name of the table used to store Awareness Watchlist Details data. Default is 'Awareness_Watchlist_Details'\n\n\t m. MimecastAwarenessSafeScoreDetailsTableName - Enter name of the table used to store Awareness SafeScore Details data. Default is 'Awareness_SafeScore_Details'\n\n\t n. StartDate - Enter the start date in the 'yyyy-mm-dd' format. If you do not provide a date, data from the last 60 days will be fetched automatically. Ensure that the date is in the past and properly formatted\n\n\t o. Schedule - Please enter a valid Quartz cron-expression. (Example: 0 0 */1 * * *) Do not keep the value empty, minimum value is 10 minutes\n\n\t p. LogLevel - Please add log level or log severity value. By default it is set to INFO\n\n\t q. AppInsightsWorkspaceResourceId - Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}' \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Azure Subscription"", ""description"": ""Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group.""}, {""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Data%20Connectors/MimecastAT/Mimecast_AT_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Mimecast","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#mimecast-awareness-training" @@ -392,9 +398,11 @@ "MongoDBAtlasLogsAzureFunctions","MongoDB","MongoDB Atlas Logs","The [MongoDBAtlas](https://www.mongodb.com/products/platform/atlas-database) Logs connector gives the capability to upload MongoDB Atlas database logs into Microsoft Sentinel through the MongoDB Atlas Administration API. Refer to the [API documentation](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/) for more information. The connector provides the ability to get a range of database log messages for the specified hosts and specified project.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to 'MongoDB Atlas' to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">Ensure the workspace is added to Microsoft Sentinel before deploying the connector.""}, {""title"": ""STEP 1 - Configuration steps for the 'MongoDB Atlas Administration API'"", ""description"": ""1. [Follow these instructions](https://www.mongodb.com/docs/atlas/configure-api-access/#grant-programmatic-access-to-an-organization) to create a MongoDB Atlas service account.\n2. Copy the **Client ID** and **Client Secret** you created, also the **Group ID** (Project) and each **Cluster ID** (Hostname) required for later steps.\n3. Refer [MongoDB Atlas API documentation](https://www.mongodb.com/docs/api/doc/atlas-admin-api-v2/operation/operation-downloadgroupclusterlog) for more details.\n4. The client secret can be passed into the connector via an Azure key vault or directly into the connector.\n5. If you want to use the key vault option create a key vault, using a Vault Access Policy, with a secret named **mongodb-client-secret** and your client secret saved as the secret value.""}, {""title"": ""STEP 2 - Deploy the 'MongoDB Atlas Logs' connector and the associated Azure Function"", ""description"": ""\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMongoDBAtlas%2FData%20Connectors%2FMongoDBAtlasLogs%2Fazuredeploy_Connector_MongoDBAtlasLogs_AzureFunction.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FMongoDBAtlas%2FData%20Connectors%2FMongoDBAtlasLogs%2FcreateUiDef.json)""}, {""title"": ""STEP 3 - Set the connector parameters"", ""description"": ""1. Select the preferred **Subscription** and an existing **Resource Group**.\n2. Enter an existing **Log Analytics Workspace Resource ID** belonging to the resource group.\n3. Click **Next**\n4. Enter the **MongoDB Group ID**, a list of up to 10 **MongoDB Cluster IDs**, each on a separate line, and **MongoDB Client ID**.\n5. Choose for **Authentication Method** either **Client Secret** and copy in your client secret value or **Key Vault** and copy in the name of your key vault. \nClick **Next** \n6. Review the MongoDB filters. Select logs from at least one category. Click **Next** \n7. Review the schedule. Click **Next** \n8. Review the settings then click **Create**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""MongoDB Atlas service account **Client ID** and **Client Secret** are required. [See the documentation to learn more about creating a service account](https://www.mongodb.com/docs/atlas/configure-api-access/#grant-programmatic-access-to-an-organization)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MongoDBAtlas/Data%20Connectors/MongoDBAtlasLogs/MongoDBAtlasLogs_AzureFunction.json","","Azure Function","ID contains AzureFunction/FunctionApp","","","","","false","MongoDBAtlas","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#mongodb-atlas-logs" "MorphisecCCF","Morphisec","Morphisec API Data Connector (via Codeless Connector Framework)","The [Morphisec](https://www.morphisec.com/) solution for Microsoft Sentinel enables you to seamlessly ingest security alerts directly from the Morphisec API. By leveraging Morphisec's proactive breach prevention and moving target defense capabilities, this integration enriches your security operations with high-fidelity, low-noise alerts on evasive threats.
This solution provides more than just data ingestion; it equips your security team with a full suite of ready-to-use content, including: Data Connector, ASIM Parser, Analytic Rule Templates and Workbook.
With this solution, you can empower your SOC to leverage Morphisec's powerful threat prevention within a unified investigation and response workflow in Microsoft Sentinel.","[{""title"": ""Configure Morphisec Connector"", ""description"": ""1. Create an API key client in Morphisec Console with read permissions to fetch alerts. \n2. Provide the Client ID and Client Secret in the connector configuration."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Morphisec Base URL"", ""placeholder"": ""https://.morphisec.cloud"", ""type"": ""text"", ""name"": ""baseUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client ID"", ""placeholder"": ""Enter the Client ID"", ""type"": ""text"", ""name"": ""clientId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client Secret"", ""placeholder"": ""Enter the Client Secret"", ""type"": ""password"", ""name"": ""secret""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Tenant ID"", ""placeholder"": ""Enter your Morphisec Tenant ID"", ""type"": ""text"", ""name"": ""tenantId""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect to Morphisec"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Data%20Connectors/Morphisec_CCF/Morphisec_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Morphisec","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Data%20Connectors/Morphisec_CCF/Morphisec_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Data%20Connectors/Morphisec_CCF/Morphisec_PollerConfig.json","OAuth2;Paging","","","","" "MuleSoft","MuleSoft","MuleSoft Cloudhub","The [MuleSoft Cloudhub](https://www.mulesoft.com/platform/saas/cloudhub-ipaas-cloud-based-integration) data connector provides the capability to retrieve logs from Cloudhub applications using the Cloudhub API and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**MuleSoftCloudhub**](https://aka.ms/sentinel-MuleSoftCloudhub-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**Note: This data connector fetch only the logs of the CloudHub application using Platform API and not of CloudHub 2.0 application**""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the MuleSoft Cloudhub API**\n\n Follow the instructions to obtain the credentials.\n\n1. Obtain the **MuleSoftEnvId**, **MuleSoftAppName**, **MuleSoftUsername** and **MuleSoftPassword** using the [documentation](https://help.mulesoft.com/s/article/How-to-get-Cloudhub-application-information-using-Anypoint-Platform-API).\n2. Save credentials for using in the data connector.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the MuleSoft Cloudhub data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""**Option 1 - Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the MuleSoft Cloudhub data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MuleSoftCloudhubAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **MuleSoftEnvId**, **MuleSoftAppName**, **MuleSoftUsername** and **MuleSoftPassword** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": """", ""description"": ""**Option 2 - Manual Deployment of Azure Functions**\n\n Use the following step-by-step instructions to deploy the MuleSoft Cloudhub data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-MuleSoftCloudhubAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. MuleSoftXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tMuleSoftEnvId\n\t\tMuleSoftAppName\n\t\tMuleSoftUsername\n\t\tMuleSoftPassword\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**MuleSoftEnvId**, **MuleSoftAppName**, **MuleSoftUsername** and **MuleSoftPassword** are required for making API calls.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MuleSoft_Cloudhub_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Mulesoft","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#mulesoft-cloudhub-using-azure-functions" +"MulesoftCloudhubConnector","Microsoft","Mulesoft CloudHub Alerts Connector (via Codeless Connector Framework)","The Mulesoft CloudHub data connector enables you to ingest alerts from Mulesoft CloudHub into Microsoft Sentinel through the CloudHub REST API v2. This connector supports configurable endpoints to accommodate different Mulesoft regions and deployment environments including US Commercial Cloud, EU Cloud, Government Cloud, and on-premises deployments. It uses multi-stream support so you can connect to multiple Mulesoft environments simultaneously. Configure the connector with your Anypoint Platform credentials, environment ID, and optional application name filter to begin collecting data. Use the `MuleSoftCloudhub` parser to query ingested alerts. Refer to [Mulesoft CloudHub API documentation](https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/) for more information about the CloudHub APIs.","[{""title"": ""1. Mulesoft CloudHub Connections"", ""description"": ""Manage connections to your Mulesoft CloudHub environments"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""## Prerequisites\r\n\r\nBefore configuring this connector, ensure you have:\r\n\r\n1. **Mulesoft Anypoint Platform Account** with appropriate permissions\r\n2. **Environment Access** to the CloudHub environment you want to monitor\r\n3. **API Access Credentials** (username and password)\r\n4. **Environment ID** from your Mulesoft CloudHub console\r\n\r\n### Finding Your Environment ID\r\n\r\n1. Log in to [Anypoint Platform](https://anypoint.mulesoft.com/)\r\n2. Navigate to **Access Management** > **Environments**\r\n3. Select your target environment\r\n4. Copy the Environment ID from the URL or environment details""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""This connector requires read access to the CloudHub API. Contact your Mulesoft administrator if you don't have the necessary permissions."", ""visible"": true, ""inline"": false}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Connection Alias"", ""columnValue"": ""properties.addOnAttributes.connectionAlias""}, {""columnName"": ""Stream Type"", ""columnValue"": ""properties.addOnAttributes.streamType""}, {""columnName"": ""Base URL"", ""columnValue"": ""properties.addOnAttributes.mulesoftBaseUrl""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""label"": ""Add Connection"", ""title"": ""Add Mulesoft CloudHub Connection"", ""subtitle"": ""Configure a connection to a Mulesoft CloudHub environment"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""title"": ""Base Configuration"", ""description"": ""Configure your Mulesoft CloudHub API connection"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### Connection Settings""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Connection Alias"", ""placeholder"": ""e.g., US-Production"", ""type"": ""text"", ""name"": ""connectionAlias"", ""validations"": {""required"": true}}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Enter a unique alias to identify this connection. Use descriptive names like 'US-Production', 'EU-Staging', etc."", ""visible"": true, ""inline"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Mulesoft API Base URL"", ""placeholder"": ""https://anypoint.mulesoft.com"", ""type"": ""url"", ""name"": ""mulesoftBaseUrl"", ""validations"": {""required"": true}}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""**Regional Endpoints**:\n- **US**: https://anypoint.mulesoft.com\n- **EU**: https://eu1.anypoint.mulesoft.com\n- **Government**: https://gov.anypoint.mulesoft.com"", ""visible"": true, ""inline"": true}}]}, {""title"": ""Credentials"", ""description"": ""Provide your Anypoint Platform credentials"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### Authentication""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Username"", ""placeholder"": ""Your Mulesoft Anypoint Platform username"", ""type"": ""text"", ""name"": ""username"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Password"", ""placeholder"": ""Your Mulesoft Anypoint Platform password"", ""type"": ""password"", ""name"": ""password"", ""validations"": {""required"": true}}}]}, {""title"": ""Environment Configuration"", ""description"": ""Configure the CloudHub environment to monitor"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### Environment Settings""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Environment ID"", ""placeholder"": ""CloudHub Environment ID (found in Anypoint Platform)"", ""type"": ""text"", ""name"": ""environmentId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Application Name Filter"", ""placeholder"": ""Optional: Filter alerts for a specific application"", ""type"": ""text"", ""name"": ""applicationName""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Leave the application name filter empty to collect alerts for all applications in the environment."", ""visible"": true, ""inline"": true}}]}]}}]}, {""title"": ""2. Monitor and Validate"", ""description"": ""Monitor data ingestion and validate connectivity"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### Post-Connection Steps\r\n\r\n1. **Monitor Connection Status**: Check the connector status in the Data connectors page\r\n2. **Validate Data Flow**: Use the sample queries provided to verify data is being collected\r\n3. **Review Logs**: Check Azure Monitor logs for any connection or authentication issues\r\n\r\n### Data Collection Schedule\r\n- **Alerts**: Polled every 5 minutes from `/v2/alerts` endpoint\r\n\r\n### Expected Timeline\r\n- **Initial Data**: Allow 10-15 minutes for initial data to appear\r\n- **Alerts Data**: Available in the `MuleSoftCloudhub` table\r\n\r\n### Troubleshooting\r\n- **Authentication errors**: Verify credentials and environment access\r\n- **No data**: Ensure alerts exist in the specified environment\r\n- **Partial data**: Check environment ID and application filter settings""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""**Sample Query**: `MuleSoftCloudhub | where TimeGenerated > ago(24h) | summarize count() by EventSeverity`"", ""visible"": true, ""inline"": true}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Mulesoft CloudHub API access"", ""description"": ""**Mulesoft CloudHub API** access with read permissions is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MulesoftCloudHubAlerts_CCF/MuleSoftCloudHubAlerts_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Mulesoft","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MulesoftCloudHubAlerts_CCF/MulesoftCloudHubAlerts_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MulesoftCloudHubAlerts_CCF/MulesoftCloudHubAlerts_PollingConfig.json","Basic;Paging","","","","" +"MulesoftCloudhubPushConnector","Microsoft","MuleSoft CloudHub Logs (Push Connector via Codeless Connector Framework)","MuleSoft CloudHub Log4j push-based connector for receiving application logs directly from MuleSoft CloudHub via Log4j HTTP appender. This connector allows customers to stream logs in real-time as recommended by MuleSoft, avoiding API rate limiting and duplicate data issues. Configure your MuleSoft applications with the provided Log4j HTTP appender configuration to stream logs to Microsoft Sentinel.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""This connector receives data from external security systems that push logs to Microsoft Sentinel. The external system must be configured to send raw event data to the Microsoft Sentinel Ingestion API. Clicking on **Deploy** will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.\n\n[Learn more about the connector setup process](https://review.learn.microsoft.com/azure/sentinel/create-push-codeless-connector)"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""## Azure Resource Deployment\n\nThe deployment process will create the following resources:\n- Log Analytics custom table(s)\n- Data Collection Endpoint (DCE)\n- Data Collection Rule (DCR)\n- Entra ID Application Registration\n- Role assignments for data ingestion""}}, {""type"": ""DeployPushConnectorButton"", ""parameters"": {""label"": ""Deploy MuleSoft CloudHub Log4j connector resources"", ""applicationDisplayName"": ""MuleSoft CloudHub Logs Push Connector""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### Configuration Values\n\nAfter deployment, copy the following values to configure your external security system:""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""TenantId""], ""label"": ""Tenant ID (Directory ID)"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""ApplicationId""], ""label"": ""Entra App Registration Application ID"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""ApplicationSecret""], ""label"": ""Entra App Registration Secret"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""DataCollectionEndpoint""], ""label"": ""Data Collection Endpoint Url"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [""DataCollectionRuleId""], ""label"": ""Data Collection Rule Immutable ID"", ""value"": ""{0}""}}, {""type"": ""CopyableLabel"", ""parameters"": {""fillWith"": [], ""label"": ""Stream Name (MuleSoftCloudhubLogs)"", ""value"": ""Custom-MuleSoftCloudhubLogs_CL""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Keep these values secure. You will need them to configure your external security system."", ""visible"": true, ""inline"": true}}]}, {""title"": ""2. Configure your external system to push logs"", ""description"": ""Use the following parameters to configure your external security system to send logs to the workspace.\n\n### Configuration Steps\n\n1. Access your external security system's configuration interface.\n2. Navigate to the data forwarding, integration, or SIEM settings.\n3. Select **Azure Monitor** or **Microsoft Sentinel** as the destination.\n4. Select **Data Collection Endpoint** as the authentication method.\n5. Configure the required fields using the values from the previous step:\n - **Tenant ID**: Copy from above\n - **Application (Client) ID**: Copy from above\n - **Client Secret**: Copy from above\n - **Data Collection Endpoint**: Copy from above\n - **Data Collection Rule Immutable ID**: Copy from above\n - **Stream Name**: Copy the appropriate stream name from above\n6. Save the configuration and enable/start the forwarder.\n\n### Validation\n\n> **Note**: Data will appear in the **MuleSoftCloudhubLogs** table in your Log Analytics workspace within a few minutes.\n\nTo verify data is being received, run the following query in your Log Analytics workspace:\n\n```kusto\nMuleSoftCloudhubLogs\n| where TimeGenerated > ago(1h)\n| take 10\n```\n\n### Troubleshooting\n\nIf data is not appearing:\n- Verify the configuration values are correct\n- Check that the forwarder/integration is enabled and running\n- Review logs in your external security system for any errors\n- Ensure network connectivity from your system to Azure\n- Verify the Entra application has the correct permissions"", ""instructions"": []}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false, ""action"": false}}], ""customs"": [{""name"": ""Microsoft.Insights/dataCollectionEndpoints"", ""description"": ""Data Collection Endpoint is required for the modern push connector to receive data from the external security system.""}, {""name"": ""Microsoft.Insights/dataCollectionRules"", ""description"": ""Data Collection Rule is required to define the schema and transformations for incoming data.""}, {""name"": ""Microsoft.Authorization/roleAssignments"", ""description"": ""Role assignment is required to grant the Entra application permissions to send data to the Data Collection Rule.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MulesoftLogs_CCF/MulesoftLogs_ConnectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Mulesoft","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MulesoftLogs_CCF/MulesoftLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mulesoft/Data%20Connectors/MulesoftLogs_CCF/MulesoftLogs_PollerConfig.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" "NGINXHTTPServer","Nginx","[Deprecated] NGINX HTTP Server","The NGINX HTTP Server data connector provides the capability to ingest [NGINX](https://nginx.org/en/) HTTP Server events into Microsoft Sentinel. Refer to [NGINX Logs documentation](https://nginx.org/en/docs/http/ngx_http_log_module.html) for more information.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias NGINXHTTPServer and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX%20HTTP%20Server/Parsers/NGINXHTTPServer.txt).The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the NGINX HTTP Server where the logs are generated.\n\n> Logs from NGINX HTTP Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the custom log directory to be collected"", ""instructions"": [{""parameters"": {""linkType"": ""OpenCustomLogsSettings""}, ""type"": ""InstallAgent""}]}, {""title"": """", ""description"": ""1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Data**, select **Custom Logs** and click **Add+**\n3. Click **Browse** to upload a sample of a NGINX HTTP Server log file (e.g. access.log or error.log). Then, click **Next >**\n4. Select **New line** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to NGINX HTTP logs based on your configuration. Example: \n - **Linux** Directory: '/var/log/nginx/*.log' \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **NGINX_CL** as the custom log Name and click **Done**""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NGINX%20HTTP%20Server/Data%20Connectors/Connector_NGINX_agent.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","","true","NGINX HTTP Server","true","","true","","","","","","","" "NasuniEdgeAppliance","Nasuni","[Deprecated] Nasuni Edge Appliance","The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.","[{""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n"", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure Nasuni Edge Appliance settings"", ""description"": ""Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Nasuni/Data%20Connectors/Nasuni%20Data%20Connector.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.Facility != ""cron""","true","Nasuni","true","","true","","","","","","","" -"Netclean_ProActive_Incidents","NetClean Technologies","Netclean ProActive Incidents","This connector uses the Netclean Webhook (required) and Logic Apps to push data into Microsoft Sentinel Log Analytics","[{""title"": """", ""description"": "">**NOTE:** NetClean ProActive uses a Webhook to expose incident data, Azure Logic Apps is used to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""description"": ""1. Create a new logic app\n Use When a HTTP request is recived as the Trigger and save it. It will now have generated a URL that can be used in the ProActive webconsole configuration.\n Add an action:\n Select the Azure Log Analytics Data Collector and choose Send Data\n Enter Connection Name, Workspace ID and Workspace Key, you will find the information needed in your Log Analytics workspace under Settings-->Agents-->Log Analytics agent instructions.\n In JSON Request body add @triggerBody(). in Custom Log Name add Netclean_Incidents."", ""title"": "" Option 1: Logic app""}, {""description"": ""Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data found here: https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/Custom/Netclean_Incidents_CL.json .\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script"", ""title"": "" Option 2 (Testing only)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetClean%20ProActive/Data%20Connectors/Connector_NetClean.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","NetClean ProActive","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" +"Netclean_ProActive_Incidents","NetClean Technologies","Netclean ProActive Incidents","This connector uses the Netclean Webhook (required) and Logic Apps to push data into Microsoft Sentinel Log Analytics","[{""title"": """", ""description"": "">**NOTE:** NetClean ProActive uses a Webhook to expose incident data, Azure Logic Apps is used to receive and push data to Log Analytics This might result in additional data ingestion costs.\n It's possible to test this without Logic Apps or NetClean Proactive see option 2"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""description"": ""1. Create a new logic app\n Use When a HTTP request is recived as the Trigger and save it. It will now have generated a URL that can be used in the ProActive webconsole configuration.\n Add an action:\n Select the Azure Log Analytics Data Collector and choose Send Data\n Enter Connection Name, Workspace ID and Workspace Key, you will find the information needed in your Log Analytics workspace under Settings-->Agents-->Log Analytics agent instructions.\n In JSON Request body add @triggerBody(). in Custom Log Name add Netclean_Incidents."", ""title"": "" Option 1: Logic app""}, {""description"": ""Ingest data using a api function. please use the script found on\n https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell \nReplace the CustomerId and SharedKey values with your values\nReplace the content in $json variable to the sample data found here: https://github.com/Azure/Azure-Sentinel/blob/master/Sample%20Data/Custom/Netclean_Incidents_CL.json .\nSet the LogType varible to **Netclean_Incidents_CL**\nRun the script"", ""title"": "" Option 2 (Testing only)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetClean%20ProActive/Data%20Connectors/Connector_NetClean.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","NetClean ProActive","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "Netskope","Netskope","Netskope","The [Netskope Cloud Security Platform](https://www.netskope.com/platform) connector provides the capability to ingest Netskope logs and events into Microsoft Sentinel. The connector provides visibility into Netskope Platform Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to Netskope to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Netskope and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskope/Parsers/Netskope.txt), on the second line of the query, enter the hostname(s) of your Netskope device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Netskope API**\n\n [Follow these instructions](https://docs.netskope.com/en/rest-api-v1-overview.html) provided by Netskope to obtain an API Token. **Note:** A Netskope account is required""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Netskope connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Netskope API Authorization Token, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""This method provides an automated deployment of the Netskope connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-netskope-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Key**, and **URI**.\n - Use the following schema for the `uri` value: `https://.goskope.com` Replace `` with your domain.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - The default **Log Types** is set to pull all 6 available log types (`alert, page, application, audit, infrastructure, network`), remove any are not required. \n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n6. After successfully deploying the connector, download the Kusto Function to normalize the data fields. [Follow the steps](https://aka.ms/sentinelgithubparsersnetskope) to use the Kusto function alias, **Netskope**.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""This method provides the step-by-step instructions to deploy the Netskope connector manually with Azure Function.""}, {""title"": """", ""description"": ""**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**.""}, {""title"": """", ""description"": ""**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Netskope/Data%20Connectors/Netskope/AzureFunctionNetskope/run.ps1) and paste into the Function App `run.ps1` editor.\n5. Click **Save**.""}, {""title"": """", ""description"": ""**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapikey\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\ttimeInterval\n\t\tlogTypes\n\t\tlogAnalyticsUri (optional)\n> - Enter the URI that corresponds to your region. The `uri` value must follow the following schema: `https://.goskope.com` - There is no need to add subsquent parameters to the Uri, the Function App will dynamically append the parameteres in the proper format.\n> - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion. \n> - Set the `logTypes` to `alert, page, application, audit, infrastructure, network` - This list represents all the avaliable log types. Select the log types based on logging requirements, seperating each by a single comma.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.\n5. After successfully deploying the connector, download the Kusto Function to normalize the data fields. [Follow the steps](https://aka.ms/sentinelgithubparsersnetskope) to use the Kusto function alias, **Netskope**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Netskope API Token"", ""description"": ""A Netskope API Token is required. [See the documentation to learn more about Netskope API](https://innovatechcloud.goskope.com/docs/Netskope_Help/en/rest-api-v1-overview.html). **Note:** A Netskope account is required""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskope/Data%20Connectors/Netskope/Netskope_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Netskope","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "NetskopeAlertsEvents","Netskope","Netskope Alerts and Events (via Codeless Connector Framework)","Netskope Security Alerts and Events","[{""title"": ""STEP 1 - Create a Netskope API key."", ""description"": ""Follow the [Netskope documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207/) for guidance on this step.""}, {""title"": ""STEP 2 - Enter your Netskope product Details"", ""description"": ""Enter your Netskope organisation url & API Token below:"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Organisation Url"", ""placeholder"": ""Enter your organisation url"", ""type"": ""text"", ""name"": ""OrganisationURL""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""Enter your API Key"", ""type"": ""password"", ""name"": ""apikey""}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Remediation"", ""type"": ""text"", ""name"": ""NetskopeAlertsRemediationingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Remediation data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Uba"", ""type"": ""text"", ""name"": ""NetskopeAlertsUbaingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Uba data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Security Assessment"", ""type"": ""text"", ""name"": ""NetskopeAlertsSecurityAssessmentingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Security Assessment data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Quarantine"", ""type"": ""text"", ""name"": ""NetskopeAlertsQuarantineingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Quarantine data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Policy"", ""type"": ""text"", ""name"": ""NetskopeAlertsPolicyingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Policy data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Malware"", ""type"": ""text"", ""name"": ""NetskopeAlertsMalwareingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Malware data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Malsite"", ""type"": ""text"", ""name"": ""NetskopeAlertsMalsiteingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Malsite data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts DLP"", ""type"": ""text"", ""name"": ""NetskopeAlertsDlpingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts DLP data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts CTEP"", ""type"": ""text"", ""name"": ""NetskopeAlertsCtepingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts CTEP data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Watchlist"", ""type"": ""text"", ""name"": ""NetskopeAlertsWatchlistingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Watchlist data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Compromised Credentials"", ""type"": ""text"", ""name"": ""NetskopeAlertsCompromisedCredentialsingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Compromised Credentials data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Content"", ""type"": ""text"", ""name"": ""NetskopeAlertsContentingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Content data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Alerts Device"", ""type"": ""text"", ""name"": ""NetskopeAlertsDeviceingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Alerts Device data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Application"", ""type"": ""text"", ""name"": ""NetskopeEventsApplicationingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Application data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Audit"", ""type"": ""text"", ""name"": ""NetskopeEventsAuditioningestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Audit data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Connection"", ""type"": ""text"", ""name"": ""NetskopeEventsConnectioningestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Connection data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events DLP"", ""type"": ""text"", ""name"": ""NetskopeEventsDLPingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events DLP data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Endpoint"", ""type"": ""text"", ""name"": ""NetskopeEventsEndpointingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Endpoint data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Infrastructure"", ""type"": ""text"", ""name"": ""NetskopeEventsInfrastructureingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Infrastructure data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Network"", ""type"": ""text"", ""name"": ""NetskopeEventsNetworkingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Network data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Netskope Events Page"", ""type"": ""text"", ""name"": ""NetskopeEventsPageingestion"", ""required"": true, ""placeholder"": ""Do you want to ingest Netskope Events Page data?"", ""options"": [{""key"": ""Yes"", ""text"": ""Yes""}, {""key"": ""No"", ""text"": ""No""}]}}, {""type"": ""InstructionStepsGroup"", ""parameters"": {""instructionSteps"": [{""title"": ""OPTIONAL: Specify the Index the API uses."", ""description"": ""**Configuring the index is optional and only required in advanced scenario's.** \n Netskope uses an [index](https://docs.netskope.com/en/using-the-rest-api-v2-dataexport-iterator-endpoints/#how-do-iterator-endpoints-function) to retrieve events. In some advanced cases (consuming the event in multiple Microsoft Sentinel workspaces, or pre-fatiguing the index to only retrieve recent data), a customer might want to have direct control over the index."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Index"", ""placeholder"": ""NetskopeCCP"", ""type"": ""text"", ""name"": ""Index""}}]}]}}]}, {""title"": ""STEP 3 - Click Connect"", ""description"": ""Verify all fields above were filled in correctly. Press the Connect to connect Netskope to Microsoft Sentinel."", ""instructions"": [{""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""connect"", ""name"": ""connect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Netskope organisation url"", ""description"": ""The Netskope data connector requires you to provide your organisation url. You can find your organisation url by signing into the Netskope portal.""}, {""name"": ""Netskope API key"", ""description"": ""The Netskope data connector requires you to provide a valid API key. You can create one by following the [Netskope documentation](https://docs.netskope.com/en/rest-api-v2-overview-312207/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Data%20Connectors/NetskopeAlertsEvents_RestAPI_CCP/NetskopeAlertsEvents_ConnectorDefination.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Netskopev2","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Data%20Connectors/NetskopeAlertsEvents_RestAPI_CCP/NetskopeAlertsEvents_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Data%20Connectors/NetskopeAlertsEvents_RestAPI_CCP/NetskopeAlertsEvents_Poller.json","APIKey","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#netskope-alerts-and-events" "NetskopeDataConnector","Netskope","Netskope Data Connector","The [Netskope](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/) data connector provides the following capabilities:
1. NetskopeToAzureStorage :
>* Get the Netskope Alerts and Events data from Netskope and ingest to Azure storage.
2. StorageToSentinel :
>* Get the Netskope Alerts and Events data from Azure storage and ingest to custom log table in log analytics workspace.
3. WebTxMetrics :
>* Get the WebTxMetrics data from Netskope and ingest to custom log table in log analytics workspace.


For more details of REST APIs refer to the below documentations:
1. Netskope API documentation:
> https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/
2. Azure storage documentation:
> https://learn.microsoft.com/azure/storage/common/storage-introduction
3. Microsoft log analytic documentation:
> https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Netskope APIs to pull its Alerts and Events data into custom log table. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)""}, {""title"": """", ""description"": ""**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)""}, {""title"": """", ""description"": ""**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)""}, {""title"": """", ""description"": ""**STEP 4 - Steps to create/get Credentials for the Netskope account** \n\n Follow the steps in this section to create/get **Netskope Hostname** and **Netskope API Token**:\n 1. Login to your **Netskope Tenant** and go to the **Settings menu** on the left navigation bar.\n 2. Click on Tools and then **REST API v2**\n 3. Now, click on the new token button. Then it will ask for token name, expiration duration and the endpoints that you want to fetch data from.\n 5. Once that is done click the save button, the token will be generated. Copy the token and save at a secure place for further usage.""}, {""title"": """", ""description"": ""**STEP 5 - Steps to create the azure functions for Netskope Alerts and Events Data Collection**\n\n>**IMPORTANT:** Before deploying Netskope data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Netskope API Authorization Key(s)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""description"": ""Using the ARM template deploy the function apps for ingestion of Netskope events and alerts data to Sentinel.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-NetskopeV2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tNetskope HostName \n\t\tNetskope API Token \n\t\tSelect Yes in Alerts and Events types dropdown for that endpoint you want to fetch Alerts and Events \n\t\tLog Level \n\t\tWorkspace ID \n\t\tWorkspace Key \n4. Click on **Review+Create**. \n5. Then after validation click on **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Azure Subscription"", ""description"": ""Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group.""}, {""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**Netskope Tenant** and **Netskope API Token** is required. See the documentation to learn more about API on the [Rest API reference](https://docs.netskope.com/en/netskope-help/admin-console/rest-api/rest-api-v2-overview-312207/)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netskopev2/Data%20Connectors/NetskopeDataConnector/Netskope_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Netskopev2","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#netskope-data-connector" @@ -402,7 +410,7 @@ "NetskopeWebTxConnector","Netskope","Netskope Web Transaction Connector (via Blob Storage)","The Netskope Web Transaction connector ingests web transaction logs from Netskope Log Streaming into Microsoft Sentinel via Azure Blob Storage using the Codeless Connector Framework (CCF).","[{""title"": ""Connect Netskope WebTx Logs to Microsoft Sentinel"", ""description"": ""To enable the Netskope WebTx Logs for Microsoft Sentinel, provide the required information below and click on Connect.\n>"", ""instructions"": [{""parameters"": {""tenantId"": ""[subscription().tenantId]"", ""name"": ""principalId"", ""appId"": ""4f05ce56-95b6-4612-9d98-a45c8cc33f9f""}, ""type"": ""ServicePrincipalIDTextBox_test""}, {""parameters"": {""label"": ""The blob container URL you want to collect data from"", ""type"": ""text"", ""name"": ""blobContainerUri""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""The blobs folder name in the container. Optional."", ""type"": ""text"", ""name"": ""blobFolderName""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""The blob container's storage account location"", ""type"": ""text"", ""name"": ""StorageAccountlocation""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""The blob container's storage account resource group name"", ""type"": ""text"", ""name"": ""StorageAccountResourceGroupName""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""The blob container's storage account subscription id"", ""type"": ""text"", ""name"": ""StorageAccountSubscription""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""The event grid topic name of the blob container's storage account if exist. else keep empty."", ""description"": ""The data flow using event grid to send 'blob-created event' notifications. There could be only one event grid topic for each storage account.\nGo to your blob container's storage account and look in the 'Events' section. If you already have a topic, please provide it's name. Else, keep the text box empty."", ""type"": ""text"", ""name"": ""EGSystemTopicName""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": false, ""write"": false, ""delete"": false, ""action"": true}}], ""customs"": [{""name"": ""Subscription permissions"", ""description"": ""You need permissions to create the data flow resources: \n- storage queues (notification queue and dead-letter queue) \n- event grid topic and subscription (to send 'blob created event' notifications to the notification queue) \n- role assignments (to grant access for Microsoft Sentinel app to the blob container and the storage queues.)""}, {""name"": ""Storage Account Network Configuration"", ""description"": ""Network restrictions (firewall/IP rules) on the Azure Blob Storage account are **not supported** for this connector due to [Azure Storage firewall restrictions and limitations](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security-limitations):\n- IP network rules have**no effect**on requests originating from the same Azure region as the storage account.\n- IP network rules**cannot restrict**access to Azure services deployed in the same region, as these services use private Azure IP addresses for communication.\n- Virtual network service endpoint rules do not apply to clients in a paired region.\n\nEnsure the storage account's **Networking** blade is set to **Enabled from all networks**.""}, {""name"": ""Storage Account Role Assignments"", ""description"": ""The following Azure RBAC roles must be assigned to the Microsoft Sentinel enterprise application service principal (displayed below) on the **Storage Account** that contains your blob container:\n- **Storage Blob Data Contributor** \u2014 required for reading blob data from the container.\n- **Storage Queue Data Contributor** \u2014 required for managing notification and dead-letter queue messages.\n\nTo assign these roles: navigate to the Storage Account \u2192 **Access Control (IAM)** \u2192 **Add role assignment**, search for the service principal ID shown below, and assign both roles.""}, {""name"": ""Collecting data from Netskope to your blob container"", ""description"": ""Follow the steps in the [Netskope Log Streaming documentation](https://docs.netskope.com/en/log-streaming.html) to configure Netskope to stream Web Transaction logs to your Azure Blob Storage container.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Data%20Connectors/NetskopeWebTx_CCF/NetskopeWebtx_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","NetskopeWebTx","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Data%20Connectors/NetskopeWebTx_CCF/NetskopeWebtx_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Data%20Connectors/NetskopeWebTx_CCF/NetskopeWebtx_PollingConfig.json","StorageAccountBlobContainer;ServicePrincipal","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#netskope-web-transaction-connector-via-blob-storage" "Netwrix","Netwrix","[Deprecated] Netwrix Auditor via Legacy Agent","Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Configure Netwrix Auditor to send logs using CEF"", ""description"": ""[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netwrix%20Auditor/Data%20Connectors/Connector_NetwrixAuditor.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceVendor == ""Netwrix""","true","Netwrix Auditor","true","","true","","","","","","","" "NetwrixAma","Netwrix","[Deprecated] Netwrix Auditor via AMA","Netwrix Auditor data connector provides the capability to ingest [Netwrix Auditor (formerly Stealthbits Privileged Activity Manager)](https://www.netwrix.com/auditor.html) events into Microsoft Sentinel. Refer to [Netwrix documentation](https://helpcenter.netwrix.com/) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on NetwrixAuditor parser based on a Kusto Function to work as expected. This parser is installed along with solution installation."", ""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"", ""instructions"": []}, {""title"": ""Step B. Configure Netwrix Auditor to send logs using CEF"", ""description"": ""[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor."", ""instructions"": []}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Netwrix%20Auditor/Data%20Connectors/template_NetwrixAuditorAMA.json","","AMA","Title/ID indicates AMA","Netwrix","","{""CommonSecurityLog"": {""vendor"": [""Netwrix""], ""product"": []}}","CommonSecurityLog.DeviceVendor =~ ""Netwrix""","true","Netwrix Auditor","true","","true","","","","","","","" -"NonameSecurityMicrosoftSentinel","Noname Security","Noname Security for Microsoft Sentinel","Noname Security solution to POST data into a Microsoft Sentinel SIEM workspace via the Azure Monitor REST API","[{""title"": ""Configure the Noname Sentinel integration."", ""description"": ""Configure the Sentinel workflow in the Noname integrations settings. Find documentation at https://docs.nonamesecurity.com"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NonameSecurity/Data%20Connectors/Connector_RESTAPI_NonameSecurity.json","","REST Pull API","Title/description mentions REST API","","","","","false","Noname API Security Solution for Microsoft Sentinel","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" +"NonameSecurityMicrosoftSentinel","Noname Security","Noname Security for Microsoft Sentinel","Noname Security solution to POST data into a Microsoft Sentinel SIEM workspace via the Azure Monitor REST API","[{""title"": ""Configure the Noname Sentinel integration."", ""description"": ""Configure the Sentinel workflow in the Noname integrations settings. Find documentation at https://docs.nonamesecurity.com"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NonameSecurity/Data%20Connectors/Connector_RESTAPI_NonameSecurity.json","","REST Pull API","Title/description mentions REST API","","","","","false","Noname API Security Solution for Microsoft Sentinel","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "NordPass","NordPass","NordPass","Integrating NordPass with Microsoft Sentinel SIEM via the API will allow you to automatically transfer Activity Log data from NordPass to Microsoft Sentinel and get real-time insights, such as item activity, all login attempts, and security notifications.","[{""description"": ""To proceed with the Microsoft Sentinel setup\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Nordpass-azuredeploy)\n2. **Please note that after the successful deployment, the system pulls Activity Log data every 1 minute by default.**""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""description"": ""Ensure that the [resource group](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups) and the [Log Analytics workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal) are created and located in the same region so you can deploy the Azure Functions.""}, {""description"": ""[Add Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard#enable-microsoft-sentinel-) to the created Log Analytics workspace.""}, {""description"": ""Generate a [Microsoft Sentinel API URL and token](https://www.google.com/url?q=https://support.nordpass.com/hc/en-us/articles/31972037289873&sa=D&source=docs&ust=1743770997230005&usg=AOvVaw16p0hstJ6OeBBoFdBKZRfr) in the NordPass Admin Panel to finish the Azure Functions integration. Please note that you\u2019ll need the NordPass Enterprise account for that.""}, {""description"": ""**Important:** This connector uses Azure Functions to retrieve Activity Logs from NordPass into Microsoft Sentinel. This may result in additional data ingestion costs. For more information, refer to the Azure Functions pricing page.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Data%20Connectors/NordPass_API_FunctionApp.json;https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordPass/Data%20Connectors/deployment/NordPass_data_connector.json","","Azure Function","Sibling ARM template declares Function App + DCR / Log Ingestion API resources","","","","","false","NordPass","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#nordpass" "NordStellarPush","Nord Security Inc.","NordStellar (Push)","The [NordStellar](https://nordstellar.com) connector pushes real-time threat intelligence and exposure events from the NordStellar platform into Microsoft Sentinel using the Codeless Connector Framework (CCF) Push pattern. All event types are routed to a single unified `NordStellar_CL` table with common columns (`EventId`, `EventType`, `Module`, `RiskLevel`, `AssetType`, `AssetValue`, `Tags`) extracted by the DCR's KQL transform, while type-specific payload is preserved in a dynamic `Details` column.

**Supported event types:**

- **Leaked Data** (`module: LEAKED_DATA`): `DATA_BREACH`, `COMBO_LIST`, `MALWARE_INFECTION`, `CONSUMER_CREDENTIAL`
- **Dark Web Monitoring** (`module: DARK_WEB_MONITORING`): `DARK_WEB_FORUM_POST`, `DARK_WEB_TELEGRAM_POST`, `DARK_WEB_RANSOMWARE_POST`, `DARK_WEB_MARKETPLACE_POST`
- **Domain Squatting** (`module: DOMAIN_SQUATTING`): `DOMAIN_PERMUTATION`
- **Attack Surface** (`module: ATTACK_SURFACE`): `ATTACK_SURFACE_WEB_APPLICATION_VULNERABILITY`, `ATTACK_SURFACE_NETWORK_SERVICE_VULNERABILITY`, `ATTACK_SURFACE_DNS_VULNERABILITY`","[{""title"": ""1. Deploy connector resources"", ""description"": ""This connector enables NordStellar to push real-time threat intelligence and exposure events directly to Microsoft Sentinel via the Azure Monitor Ingestion API."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated configuration\nClicking **Deploy** will create:\n- A custom Log Analytics table `NordStellar_CL`\n- A Data Collection Rule (DCR) with a single stream `Custom-NordStellar` and a KQL transform that promotes common fields and preserves the type-specific payload in `Details`\n- The Data Collection Endpoint (DCE) used for ingestion\n- A Microsoft Entra application with OAuth 2.0 client credentials\n- The required `Monitoring Metrics Publisher` role assignment on the DCR\n\nThe credentials returned below are then configured in the NordStellar portal so events can be pushed securely.""}}, {""type"": ""DeployPushConnectorButton"", ""parameters"": {""label"": ""Deploy NordStellar Push connector resources"", ""applicationDisplayName"": ""NordStellar Sentinel Push Connector Application""}}]}, {""title"": ""2. Configure NordStellar"", ""description"": ""Use the following parameters to configure the Microsoft Sentinel integration in the NordStellar portal."", ""instructions"": [{""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Tenant ID (Directory ID)"", ""fillWith"": [""TenantId""]}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Application (Client) ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the Application ID""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Client Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the Client Secret""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Data Collection Endpoint URI"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the DCE Endpoint""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Data Collection Rule Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the DCR Immutable ID""}}, {""type"": ""CopyableLabel"", ""parameters"": {""label"": ""Stream Name"", ""value"": ""Custom-NordStellar""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### On-the-wire envelope\nNordStellar must POST a JSON array to `{DCE URI}/dataCollectionRules/{DCR Immutable ID}/streams/Custom-NordStellar?api-version=2023-01-01` with an OAuth bearer token for the scope `https://monitor.azure.com//.default`.\n\nEach element wraps the original webhook event in a thin envelope:\n\n```json\n[\n {\n \""time\"": \""2026-04-27T10:30:00Z\"",\n \""event\"": {\n \""id\"": \""...\"",\n \""type\"": \""DATA_BREACH\"",\n \""module\"": \""LEAKED_DATA\"",\n \""risk_level\"": \""HIGH\"",\n \""date_added\"": \""...\"",\n \""tags\"": [\""NAME\""],\n \""asset\"": { \""type\"": \""EMAIL\"", \""value\"": \""user@company.com\"" }\n }\n }\n]\n```\n\nThe DCR's KQL transform promotes `id`, `type`, `module`, `risk_level`, `asset.type`/`source_type`, `asset.value`/`asset_value`, `tags`, and the appropriate timestamp (`date_added` for leaked-data/dark-web/domain-permutation, `detected_at` for attack-surface) into typed columns. Everything else is preserved in the dynamic `Details` column.""}}]}, {""title"": ""3. Verify data ingestion"", ""description"": ""Confirm events are flowing from NordStellar to Sentinel."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""Wait 5-10 minutes after enabling the integration, then run this KQL query in your Microsoft Sentinel workspace:\n\n```kql\nNordStellar_CL\n| where TimeGenerated > ago(1h)\n| summarize count() by EventType, Module\n| order by count_ desc\n```\n\nIf no data appears after 15 minutes, verify the credentials in the NordStellar portal and check Azure Monitor for ingestion errors on the DCR.""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role.""}, {""name"": ""NordStellar"", ""description"": ""Active NordStellar tenant with permission to configure outbound webhooks for the integration.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordStellar/Data%20Connectors/NordStellar_ccf/connectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","NordStellar","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordStellar/Data%20Connectors/NordStellar_ccf/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NordStellar/Data%20Connectors/NordStellar_ccf/dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" "NozomiNetworksN2OS","Nozomi Networks","[Deprecated] Nozomi Networks N2OS via Legacy Agent","The [Nozomi Networks](https://www.nozominetworks.com/) data connector provides the capability to ingest Nozomi Networks Events into Microsoft Sentinel. Refer to the Nozomi Networks [PDF documentation](https://www.nozominetworks.com/resources/data-sheets-brochures-learning-guides/) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**NozomiNetworksEvents**](https://aka.ms/sentinel-NozomiNetworks-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Follow these steps to configure Nozomi Networks device for sending Alerts, Audit Logs, Health Logs log via syslog in CEF format:\n\n> 1. Log in to the Guardian console.\n\n> 2. Navigate to Administration->Data Integration, press +Add and select the Common Event Format (CEF) from the drop down\n\n> 3. Create New Endpoint using the appropriate host information and enable Alerts, Audit Logs, Health Logs for sending.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NozomiNetworks/Data%20Connectors/NozomiNetworksN2OS.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceVendor has ""Nozomi"" | _Computed.DeviceCustomString1Label contains ""Browser"" | _Computed.DeviceCustomString1Label contains ""Risk""","true","NozomiNetworks","true","","true","","","","","","","" @@ -443,7 +451,7 @@ "PaloAltoPrismaCloud","Palo Alto","[DEPRECATED] Palo Alto Prisma Cloud CSPM","The Palo Alto Prisma Cloud CSPM data connector provides the capability to ingest [Prisma Cloud CSPM alerts](https://prisma.pan.dev/api/cloud/cspm/alerts#operation/get-alerts) and [audit logs](https://prisma.pan.dev/api/cloud/cspm/audit-logs#operation/rl-audit-logs) into Microsoft sentinel using the Prisma Cloud CSPM API. Refer to [Prisma Cloud CSPM API documentation](https://prisma.pan.dev/api/cloud/cspm) for more information.

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Palo Alto Prisma Cloud REST API to pull logs into Microsoft sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoPrismaCloud**](https://aka.ms/sentinel-PaloAltoPrismaCloud-parser) which is deployed with the Microsoft sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration of the Prisma Cloud**\n\nFollow the documentation to [create Prisma Cloud Access Key](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/create-access-keys.html) and [obtain Prisma Cloud API Url](https://api.docs.prismacloud.io/reference)\n\n NOTE: Please use SYSTEM ADMIN role for giving access to Prisma Cloud API because only SYSTEM ADMIN role is allowed to View Prisma Cloud Audit Logs. Refer to [Prisma Cloud Administrator Permissions (paloaltonetworks.com)](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/prisma-cloud-admin-permissions) for more details of administrator permissions.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Prisma Cloud data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Prisma Cloud API credentials, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Prisma Cloud data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-PaloAltoPrismaCloud-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Prisma Cloud API Url**, **Prisma Cloud Access Key ID**, **Prisma Cloud Secret Key**, **Microsoft sentinel Workspace Id**, **Microsoft sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Prisma Cloud data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-PaloAltoPrismaCloud-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tPrismaCloudAPIUrl\n\t\tPrismaCloudAccessKeyID\n\t\tPrismaCloudSecretKey\n\t\tAzureSentinelWorkspaceId\n\t\tAzureSentinelSharedKey\n\t\tlogAnalyticsUri (Optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n5. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Palo Alto Prisma Cloud API Credentials"", ""description"": ""**Prisma Cloud API Url**, **Prisma Cloud Access Key ID**, **Prisma Cloud Secret Key** are required for Prisma Cloud API connection. See the documentation to learn more about [creating Prisma Cloud Access Key](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/create-access-keys.html) and about [obtaining Prisma Cloud API Url](https://prisma.pan.dev/api/cloud/api-urls)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Data%20Connectors/PrismaCloud_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","PaloAltoPrismaCloud","true","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#palo-alto-prisma-cloud-cspm-via-codeless-connector-framework" "PaloAltoPrismaCloudCSPMCCPDefinition","Microsoft","Palo Alto Prisma Cloud CSPM (via Codeless Connector Framework)","The Palo Alto Prisma Cloud CSPM data connector allows you to connect to your Palo Alto Prisma Cloud CSPM instance and ingesting Alerts (https://pan.dev/prisma-cloud/api/cspm/alerts/) & Audit Logs(https://pan.dev/prisma-cloud/api/cspm/audit-logs/) into Microsoft Sentinel.","[{""description"": ""To get more information on how to obtain the Prisma Cloud Access Key, Secret Key, and Base URL, please refer to the[connector tutorial](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Data%20Connectors/Readme.md), provide the required information below and click on Connect.\n>"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Prisma Cloud Access Key"", ""placeholder"": ""Enter Access Key"", ""type"": ""text"", ""name"": ""username""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Prisma Cloud Secret Key"", ""placeholder"": ""Enter Secret Key"", ""type"": ""password"", ""name"": ""password""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Prisma Cloud Base URL"", ""placeholder"": ""https://api2.eu.prismacloud.io"", ""type"": ""text"", ""name"": ""baseurl""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""PaloAltoPrismaCloudCSPM Api Endpoints"", ""columnValue"": ""properties.request.apiEndpoint""}]}}], ""title"": ""Connect Palo Alto Prisma Cloud CSPM Events to Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Data%20Connectors/PrismaCloudCSPMLog_CCF/PaloAltoPrismaCloudCSPMLog_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","PaloAltoPrismaCloud","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Data%20Connectors/PrismaCloudCSPMLog_CCF/PaloAltoPrismaCloudCSPMLog_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Data%20Connectors/PrismaCloudCSPMLog_CCF/PaloAltoPrismaCloudCSPMLog_PollingConfig.json","JwtToken;Paging;POST","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#palo-alto-prisma-cloud-cspm-via-codeless-connector-framework" "PaloAltoPrismaCloudCWPP","Microsoft","Palo Alto Prisma Cloud CWPP (using REST API)","The [Palo Alto Prisma Cloud CWPP](https://prisma.pan.dev/api/cloud/cwpp/audits/#operation/get-audits-incidents) data connector allows you to connect to your Palo Alto Prisma Cloud CWPP instance and ingesting alerts into Microsoft Sentinel. The data connector is built on Microsoft Sentinel's Codeless Connector Platform and uses the Prisma Cloud API to fetch security events and supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security event data into a custom columns so that queries don't need to parse it again, thus resulting in better performance.","[{""description"": ""To enable the Palo Alto Prisma Cloud CWPP Security Events for Microsoft Sentinel, provide the required information below and click on Connect.\n>"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Path to console"", ""placeholder"": ""europe-west3.cloud.twistlock.com/{sasid}"", ""type"": ""text"", ""name"": ""domainname""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Prisma Access Key (API)"", ""placeholder"": ""Prisma Access Key (API)"", ""type"": ""text"", ""name"": ""username""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Secret"", ""placeholder"": ""Secret"", ""type"": ""password"", ""name"": ""password""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}], ""title"": ""Connect Palo Alto Prisma Cloud CWPP Security Events to Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""PrismaCloudCompute API Key"", ""description"": ""A Palo Alto Prisma Cloud CWPP Monitor API username and password is required. [See the documentation to learn more about PrismaCloudCompute SIEM API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/readme.md).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/PaloAltoPrismaCloudCWPP_ccp/connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Palo Alto Prisma Cloud CWPP","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/PaloAltoPrismaCloudCWPP_ccp/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Palo%20Alto%20Prisma%20Cloud%20CWPP/Data%20Connectors/PaloAltoPrismaCloudCWPP_ccp/dataConnectorPoller.json","Basic;Paging","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#palo-alto-prisma-cloud-cwpp-using-rest-api" -"Pathlock_TDnR","Pathlock Inc.","Pathlock Threat Detection and Response Integration","Pathlock Threat Detection and Response enables seamless forwarding of security alerts and logs detected and collected by the Pathlock Platform into Microsoft Sentinel Solution for SAP.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""We will create data collection rule (DCR) and data collection endpoint (DCE) resources. We will also create a Microsoft Entra app registration and assign the required permissions to it."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated deployment of Azure resources\nClicking on \""Deploy push connector resources\"" will trigger the creation of DCR and DCE resources.\nIt will then create a Microsoft Entra app registration with client secret and grant permissions on the DCR. This setup enables data to be sent securely to the DCR using a OAuth v2 client credentials.""}}, {""parameters"": {""label"": ""Deploy push connector resources"", ""applicationDisplayName"": ""Pathlock Threat Detection and Response forwarding to Microsoft Sentinel Solution for SAP""}, ""type"": ""DeployPushConnectorButton_test""}]}, {""title"": ""2. Maintain the data collection endpoint details and authentication info in Pathlock Threat Detection and Response"", ""description"": ""Share the data collection endpoint URL and authentication info with the Pathlock Threat Detection and Response Integration administrator to configure the Integration."", ""instructions"": [{""parameters"": {""label"": ""Use this value to configure as Tenant ID in the LogIngestionAPI credential."", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra Application Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the Application Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Use this value to configure the LogsIngestionURL parameter."", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the DCE URI""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""DCR Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the DCR ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Data%20Connectors/Pathlock_TDnR.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","true","Pathlock_TDnR","false","","true","","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Data%20Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_PollingConfig.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" +"Pathlock_TDnR","Pathlock Inc.","Pathlock Inc.: Threat Detection and Response for SAP","The [Pathlock Threat Detection and Response (TD&R)](https://pathlock.com/products/cybersecurity-application-controls/) integration with **Microsoft Sentinel Solution for SAP** delivers unified, real-time visibility into SAP security events, enabling organizations to detect and act on threats across all SAP landscapes. This out-of-the-box integration allows Security Operations Centers (SOCs) to correlate SAP-specific alerts with enterprise-wide telemetry, creating actionable intelligence that connects IT security with business processes.

Pathlock’s connector is purpose-built for SAP and forwards only **security-relevant events by default**, minimizing data volume and noise while maintaining the flexibility to forward all log sources when needed. Each event is enriched with **business process context**, allowing Microsoft Sentinel Solution for SAP analytics to distinguish operational patterns from real threats and to prioritize what truly matters.

This precision-driven approach helps security teams drastically reduce false positives, focus investigations, and accelerate **mean time to detect (MTTD)** and **mean time to respond (MTTR)**. Pathlock’s library consists of more than 1,500 SAP-specific detection signatures across 70+ log sources, the solution uncovers complex attack behaviors, configuration weaknesses, and access anomalies.

By combining business-context intelligence with advanced analytics, Pathlock enables enterprises to strengthen detection accuracy, streamline response actions, and maintain continuous control across their SAP environments—without adding complexity or redundant monitoring layers.

For detailed guidance on how to deploy this connector, refer to the [Pathlock help portal](https://help.pathlock.com).","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""We will create data collection rule (DCR) and data collection endpoint (DCE) resources. We will also create a Microsoft Entra app registration and assign the required permissions to it."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated deployment of Azure resources\nClicking on \""Deploy push connector resources\"" will trigger the creation of DCR and DCE resources.\nIt will then create a Microsoft Entra app registration with client secret and grant permissions on the DCR. This setup enables data to be sent securely to the DCR using a OAuth v2 client credentials.""}}, {""parameters"": {""label"": ""Deploy push connector resources"", ""applicationDisplayName"": ""Pathlock Inc. Threat Detection and Response for SAP""}, ""type"": ""DeployPushConnectorButton_test""}]}, {""title"": ""2. Maintain the data collection endpoint details and authentication info in your central instance of Pathlock's Cybersecurity Application Controls: Threat Detection and Response"", ""description"": ""Share the data collection endpoint URL and authentication info with the Pathlock administrator to configure the plug and play forwarding in Threat Detection and Response to send data to the data collection endpoint.\nFor detailed deployment guidance, refer to the [Pathlock help portal](https://help.pathlock.com). Please do not hesitate to contact Pathlock if support is needed.\n\n"", ""instructions"": [{""parameters"": {""label"": ""Use this value to configure as Tenant ID in the LogIngestionAPI credential."", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra Application Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the Application Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Use this value to configure the LogsIngestionURL parameter when deploying the IFlow."", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the DCE URI""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""DCR Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the DCR ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Data%20Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_connectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Pathlock_TDnR","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Data%20Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pathlock_TDnR/Data%20Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_PollingConfig.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#pathlock-inc-threat-detection-and-response-for-sap" "Perimeter81ActivityLogs","Perimeter 81","Perimeter 81 Activity Logs","The Perimeter 81 Activity Logs connector allows you to easily connect your Perimeter 81 activity logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.","[{""title"": """", ""description"": ""Please note the values below and follow the instructions here to connect your Perimeter 81 activity logs with Microsoft Sentinel."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Perimeter%2081/Data%20Connectors/Perimeter81ActivityLogs.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Perimeter 81","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#perimeter-81-activity-logs" "Phosphorus_Polling","Phosphorus Inc.","Phosphorus Devices","The Phosphorus Device Connector provides the capability to Phosphorus to ingest device data logs into Microsoft Sentinel through the Phosphorus REST API. The Connector provides visibility into the devices enrolled in Phosphorus. This Data Connector pulls devices information along with its corresponding alerts.","[{""description"": ""**STEP 1 - Configuration steps for the Phosphorus API**\n\n Follow these instructions to create a Phosphorus API key.\n 1. Log into your Phosphorus instance\n 2. Navigate to Settings -> API \n 3. If the API key has not already been created, press the **Add button** to create the API key\n 4. The API key can now be copied and used during the Phosphorus Device connector configuration""}, {""title"": ""Connect the Phosphorus Application with Microsoft Sentinel"", ""description"": ""**STEP 2 - Fill in the details below**\n\n>**IMPORTANT:** Before deploying the Phosphorus Device data connector, have the Phosphorus Instance Domain Name readily available as well as the Phosphorus API Key(s)"", ""instructions"": [{""parameters"": {""enable"": ""true"", ""userRequestPlaceHoldersInput"": [{""displayText"": ""Domain Name"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{urlPlaceHolder}}"", ""placeHolderValue"": """"}, {""displayText"": ""Integration Name"", ""requestObjectKey"": ""apiEndpoint"", ""placeHolderName"": ""{{integrationName}}"", ""placeHolderValue"": """"}]}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true, ""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""REST API Credentials/permissions"", ""description"": ""**Phosphorus API Key** is required. Please make sure that the API Key associated with the User has the Manage Settings permissions enabled.\n\n Follow these instructions to enable Manage Settings permissions.\n 1. Log in to the Phosphorus Application\n 2. Go to 'Settings' -> 'Groups'\n 3. Select the Group the Integration user is a part of\n 4. Navigate to 'Product Actions' -> toggle on the 'Manage Settings' permission. ""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Phosphorus/Data%20Connectors/PhosphorusDataConnector.json","","CCF","CCF with embedded pollingConfig (no separate config file)","","","","","false","Phosphorus","false","","true","","","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#phosphorus-devices" "PingFederate","Ping Identity","[Deprecated] PingFederate via Legacy Agent","The [PingFederate](https://www.pingidentity.com/en/software/pingfederate.html) data connector provides the capability to ingest [PingFederate events](https://docs.pingidentity.com/bundle/pingfederate-102/page/lly1564002980532.html) into Microsoft Sentinel. Refer to [PingFederate documentation](https://docs.pingidentity.com/bundle/pingfederate-102/page/tle1564002955874.html) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PingFederateEvent**](https://aka.ms/sentinel-PingFederate-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward Common Event Format (CEF) logs to Syslog agent"", ""description"": ""[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Data%20Connectors/Connector_CEF_PingFederate.json","","AMA","Title mentions Legacy Agent","","","","CommonSecurityLog.DeviceProduct has ""PingFederate""","true","PingFederate","true","","true","","","","","","","" @@ -460,7 +468,7 @@ "PulseConnectSecure","Pulse Secure","[Deprecated] Pulse Connect Secure","The [Pulse Connect Secure](https://www.pulsesecure.net/products/pulse-connect-secure/) connector allows you to easily connect your Pulse Connect Secure logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Pulse Connect Secure with Microsoft Sentinel provides more insight into your organization's network and improves your security operation capabilities.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Pulse Connect Secure and load the function code or click [here](https://aka.ms/sentinel-PulseConnectSecure-parser), on the second line of the query, enter the hostname(s) of your Pulse Connect Secure device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure and connect the Pulse Connect Secure"", ""description"": ""[Follow the instructions](https://help.ivanti.com/ps/help/en_US/PPS/9.1R13/ag/configuring_an_external_syslog_server.htm) to enable syslog streaming of Pulse Connect Secure logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""Pulse Connect Secure"", ""description"": ""must be configured to export logs via Syslog""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse%20Connect%20Secure/Data%20Connectors/Connector_Syslog_PulseConnectSecure.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.Facility == ""local7""","true","Pulse Connect Secure","true","","true","","","","","","","" "QscoutAppEventsCCFDefinition","Quokka","QscoutAppEventsConnector (via Codeless Connector Framework)","Ingest Qscout application events into Microsoft Sentinel","[{""description"": "">**NOTE:** This connector uses Codeless Connector Framework (CCF) to connect to the Qscout app events feed and ingest data into Microsoft Sentinel""}, {""description"": ""Provide the required values below:\n"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Qscout Organization ID"", ""placeholder"": ""123456"", ""type"": ""text"", ""name"": ""organizationId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Qscout Organization API Key"", ""placeholder"": ""abcdxyz"", ""type"": ""password"", ""name"": ""apiKey""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""connect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Qscout Organization ID"", ""description"": ""The API requires your organization ID in Qscout.""}, {""name"": ""Qscout Organization API Key"", ""description"": ""The API requires your organization API key in Qscout.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Quokka/Data%20Connectors/QuokkaQscoutAppEventsLogs_ccf/QuokkaQscoutAppEventsLogs_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Quokka","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Quokka/Data%20Connectors/QuokkaQscoutAppEventsLogs_ccf/QuokkaQscoutAppEventsLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Quokka/Data%20Connectors/QuokkaQscoutAppEventsLogs_ccf/QuokkaQscoutAppEventsLogs_PollingConfig.json","APIKey","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#qscoutappeventsconnector-via-codeless-connector-framework" "QualysKB","Qualys","Qualys VM KnowledgeBase","The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from the Qualys KB into Microsoft Sentinel.

This data can used to correlate and enrich vulnerability detections found by the [Qualys Vulnerability Management (VM)](https://docs.microsoft.com/azure/sentinel/connect-qualys-vm) data connector.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias QualysVM Knowledgebase and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your QualysVM Knowledgebase device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.""}, {""title"": """", ""description"": "">This data connector depends on a parser based on a Kusto Function to work as expected. [Follow the steps](https://aka.ms/sentinel-qualyskb-parser) to use the Kusto function alias, **QualysKB**""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Qualys API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users**.\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys KB connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys API username and password, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Qualys KB connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-qualyskb-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-qualyskb-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (This value should include a \""&\"" symbol between each parameter and should not include any spaces) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348)\n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.\n - Note: If deployment failed due to the storage account name being taken, change the **Function Name** to a unique value and redeploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""This method provides the step-by-step instructions to deploy the Qualys KB connector manually with Azure Function."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the [Azure Function App](https://aka.ms/sentinel-qualyskb-functioncode) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\tlogAnalyticsUri (optional)\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0` \n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. The `filterParameter` value should include a \""&\"" symbol between each parameter and should not include any spaces.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for delegated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Qualys API Key"", ""description"": ""A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Qualys VM Knowledgebase","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vm-knowledgebase-using-azure-functions" -"QualysKbConnector","Microsoft","Qualys Knowledge Base (via Codeless Connector Framework)","Ingest Qualys Knowledge Base Vulnerability Data into Microsoft Sentinel using version 4.0 of the Qualys API.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""## Step 1: Set Credentials\nProvide your Qualys API credentials to enable data ingestion from the Qualys Knowledge Base.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Qualys VM, you need to provide the following resources:""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""- **API Credentials**: username and password for an account with read access to the Knowledge Base API. You can find the exact permissions needed in the [Qualys API documentation](https://docs.qualys.com/en/vm/api/scans/kbase/knowledgebase.htm).""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""- **API Server URL**: the Qualys API server URL specific to your region. You can find the exact API server URL for your region [here](https://www.qualys.com/platform-identification/#api-urls)""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Server URL"", ""placeholder"": ""Enter API Server URL"", ""type"": ""url"", ""name"": ""apiServerUrl"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Username"", ""placeholder"": ""Enter Qualys username"", ""type"": ""text"", ""name"": ""username"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Password"", ""placeholder"": ""Enter your Qualys password or token"", ""type"": ""password"", ""name"": ""password"", ""validations"": {""required"": true}}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""## Step 2: Set Any Optional Filters""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""Configure optional filters to customize which vulnerabilities are ingested. Learn more about available filters in the [Qualys API documentation](https://docs.qualys.com/en/vm/api/scans/kbase/knowledgebase.htm).""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### 2a. Filter by Patch Status \nChoose to only show vulnerabilities that are patchable or not patchable.""}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Include vulnerabilities that are:"", ""name"": ""isPatchable"", ""options"": [{""key"": ""2"", ""text"": ""Both patchable and unpatchable (default)""}, {""key"": ""1"", ""text"": ""Patchable only""}, {""key"": ""0"", ""text"": ""Unpatchable only""}], ""placeholder"": ""Select patchability filter"", ""isMultiSelect"": false, ""required"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### 2b. Filter by Discovery Method and Authentication Types \nChoose to only receive vulnerabilities assigned a certain discovery method or having specific authentication types.""}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Discovery Method"", ""name"": ""discoveryMethod"", ""options"": [{""key"": ""All"", ""text"": ""All methods (default)""}, {""key"": ""Remote"", ""text"": ""Remote""}, {""key"": ""Authenticated"", ""text"": ""Authenticated""}, {""key"": ""RemoteOnly"", ""text"": ""Remote Only""}, {""key"": ""AuthenticatedOnly"", ""text"": ""Authenticated Only""}, {""key"": ""RemoteAndAuthenticated"", ""text"": ""Remote and Authenticated""}], ""placeholder"": ""Select discovery method"", ""isMultiSelect"": false, ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Discovery Authentication Types"", ""placeholder"": ""e.g., Windows, Oracle, Unix, SNMP (comma-separated)"", ""type"": ""text"", ""name"": ""discoveryAuthTypes""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""## Step 3: Review and Enable\nReview your configuration settings and enable the connector to start ingesting Qualys Knowledge Base data into Microsoft Sentinel.""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect Qualys KB"", ""disconnectLabel"": ""Disconnect Qualys KB"", ""name"": ""mainToggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Qualys API access"", ""description"": ""Requires a Qualys User Account with read access to the Knowledge Base endpoints.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_ccf/QualysKB_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","QualysKnowledgeBase.Patchable in ""0,1""","false","Qualys VM Knowledgebase","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_ccf/QualysKB_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_ccf/QualysKB_PollingConfig.json","Basic","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#qualys-knowledge-base-via-codeless-connector-framework" +"QualysKbConnector","Microsoft","Qualys Knowledge Base (via Codeless Connector Framework)","Ingest Qualys Knowledge Base Vulnerability Data into Microsoft Sentinel using version 4.0 of the Qualys API.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""## Step 1: Set Credentials\nProvide your Qualys API credentials to enable data ingestion from the Qualys Knowledge Base.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Qualys VM, you need to provide the following resources:""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""- **API Credentials**: username and password for an account with read access to the Knowledge Base API. You can find the exact permissions needed in the [Qualys API documentation](https://docs.qualys.com/en/vm/api/scans/kbase/knowledgebase.htm).""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""- **API Server URL**: the Qualys API server URL specific to your region. You can find the exact API server URL for your region [here](https://www.qualys.com/platform-identification/#api-urls)""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Server URL"", ""placeholder"": ""Enter API Server URL"", ""type"": ""url"", ""name"": ""apiServerUrl"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Username"", ""placeholder"": ""Enter Qualys username"", ""type"": ""text"", ""name"": ""username"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Password"", ""placeholder"": ""Enter your Qualys password or token"", ""type"": ""password"", ""name"": ""password"", ""validations"": {""required"": true}}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""## Step 2: Set Any Optional Filters""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""Configure optional filters to customize which vulnerabilities are ingested. Learn more about available filters in the [Qualys API documentation](https://docs.qualys.com/en/vm/api/scans/kbase/knowledgebase.htm).""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### 2a. Filter by Patch Status \nChoose to only show vulnerabilities that are patchable or not patchable.""}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Include vulnerabilities that are:"", ""name"": ""isPatchable"", ""options"": [{""key"": ""2"", ""text"": ""Both patchable and unpatchable (default)""}, {""key"": ""1"", ""text"": ""Patchable only""}, {""key"": ""0"", ""text"": ""Unpatchable only""}], ""placeholder"": ""Select patchability filter"", ""isMultiSelect"": false, ""required"": true}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""### 2b. Filter by Discovery Method and Authentication Types \nChoose to only receive vulnerabilities assigned a certain discovery method or having specific authentication types.""}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Discovery Method"", ""name"": ""discoveryMethod"", ""options"": [{""key"": ""All"", ""text"": ""All methods (default)""}, {""key"": ""Remote"", ""text"": ""Remote""}, {""key"": ""Authenticated"", ""text"": ""Authenticated""}, {""key"": ""RemoteOnly"", ""text"": ""Remote Only""}, {""key"": ""AuthenticatedOnly"", ""text"": ""Authenticated Only""}, {""key"": ""RemoteAndAuthenticated"", ""text"": ""Remote and Authenticated""}], ""placeholder"": ""Select discovery method"", ""isMultiSelect"": false, ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Discovery Authentication Types"", ""placeholder"": ""e.g., Windows, Oracle, Unix, SNMP (comma-separated)"", ""type"": ""text"", ""name"": ""discoveryAuthTypes""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""## Step 3: Review and Enable\nReview your configuration settings and enable the connector to start ingesting Qualys Knowledge Base data into Microsoft Sentinel.""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect Qualys KB"", ""disconnectLabel"": ""Disconnect Qualys KB"", ""name"": ""mainToggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Qualys API access"", ""description"": ""Requires a Qualys User Account with read access to the Knowledge Base endpoints.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_ccf/QualysKB_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","QualysKnowledgeBase.Patchable in ""0,1""","false","Qualys VM Knowledgebase","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_ccf/QualysKB_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Qualys%20VM%20Knowledgebase/Data%20Connectors/QualysKB_ccf/QualysKB_PollingConfig.json","Basic","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#qualys-knowledge-base-via-codeless-connector-framework" "QualysVMLogsCCPDefinition","Microsoft","Qualys Vulnerability Management (via Codeless Connector Framework)","The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans.","[{""title"": ""Connect Qualys Vulnerability Management to Microsoft Sentinel"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": "">**NOTE:** To gather data for Detections based on Host, expand the **DetectionList** column in the table.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Qualys VM, you need to provide the following resources""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. API Credentials \n To gather data from Qualys VM, you'll need Qualys API credentials, including your Username and Password.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. API Server URL \n To gather data from Qualys VM, you'll need the Qualys API server URL specific to your region. You can find the exact API server URL for your region [here](https://www.qualys.com/platform-identification/#api-urls)""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Qualys API User Name"", ""placeholder"": ""Enter UserName"", ""type"": ""text"", ""name"": ""username"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Qualys API Password"", ""placeholder"": ""Enter password"", ""type"": ""password"", ""name"": ""password"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Qualys API Server URL"", ""placeholder"": ""Enter API Server URL"", ""type"": ""text"", ""name"": ""apiServerUrl"", ""required"": true, ""description"": ""Ensure the API Server URL starts with https:// and paste the whole API Server URL without / at the ending""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Truncation Limit \n Configure the maximum number of host records to retrieve per API call (20-5000 range). Higher values may improve performance but could impact API response times.""}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Truncation Limit"", ""name"": ""truncationLimit"", ""options"": [{""key"": ""1000"", ""text"": ""1000 - API default value""}, {""key"": ""20"", ""text"": ""20 - Minimal load, slower collection""}, {""key"": ""100"", ""text"": ""100 - Low load""}, {""key"": ""500"", ""text"": ""500 - Moderate load""}, {""key"": ""2500"", ""text"": ""2500 - High load, faster collection""}, {""key"": ""5000"", ""text"": ""5000 - Maximum load, fastest collection""}], ""placeholder"": ""Select truncation limit"", ""isMultiSelect"": false, ""required"": true}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""API access and roles"", ""description"": ""Ensure the Qualys VM user has a role of Reader or higher. If the role is Reader, ensure that API access is enabled for the account. Auditor role is not supported to access the API. For more details, refer to the Qualys VM [Host Detection API](https://docs.qualys.com/en/vm/qweb-all-api/mergedProjects/qapi-assets/host_lists/host_detection.htm#v_5_0) and [User role Comparison](https://qualysguard.qualys.com/qwebhelp/fo_portal/user_accounts/user_roles_comparison_vm.htm) document.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Data%20Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","QualysVM","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Data%20Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Data%20Connectors/QualysVMHostLogs_ccp/QualysVMHostLogs_PollingConfig.json","Basic;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-via-codeless-connector-framework" "QualysVulnerabilityManagement","Qualys","[DEPRECATED] Qualys Vulnerability Management","The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Microsoft Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Microsoft Sentinel the capability to view dashboards, create custom alerts, and improve investigation

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": "">**NOTE:** This connector has been updated, if you have previously deployed an earlier version, and want to update, please delete the existing Qualys VM Azure Function before redeploying this version. Please use Qualys V2 version Workbook, detections. ""}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-QualysVM-azuredeployV2) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-QualysVM-azuredeployV2-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \""&\"" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions.""}, {""title"": """", ""description"": ""**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**.""}, {""title"": """", ""description"": ""**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinel-QualysVM-functioncodeV2) and paste into the Function App `run.ps1` editor.\n7. Click **Save**.""}, {""title"": """", ""description"": ""**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following eight (8) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n\t\tlogAnalyticsUri (optional)\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https:///api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \""&\"" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}, {""title"": """", ""description"": ""**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\""functionTimeout\"": \""00:10:00\"",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Qualys API Key"", ""description"": ""A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/QualysVM/Data%20Connectors/QualysVM_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","QualysVM","true","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#qualys-vulnerability-management-via-codeless-connector-framework" "RSAIDPlus_AdmingLogs_Connector","RSA","RSA ID Plus Admin Logs Connector","The RSA ID Plus AdminLogs Connector provides the capability to ingest [Cloud Admin Console Audit Events](https://community.rsa.com/s/article/Cloud-Administration-Event-Log-API-5d22ba17) into Microsoft Sentinel using Cloud Admin APIs.","[{""description"": "">**NOTE:** This connector uses Codeless Connector Framework (CCF) to connect to the RSA ID Plus Cloud Admin APIs to pull logs into Microsoft Sentinel.""}, {""title"": ""**STEP 1** - Create Legacy Admin API Client in Cloud Admin Console."", ""description"": ""Follow steps mentioned in this [page](https://community.rsa.com/s/article/Manage-Legacy-Clients-API-Keys-a89c9cbc#).""}, {""title"": ""**STEP 2** - Generate the Base64URL encoded JWT Token."", ""description"": ""Follow the steps mentioned in this [page](https://community.rsa.com/s/article/Authentication-for-the-Cloud-Administration-APIs-a04e3fb9) under the header 'Legacy Administration API'.""}, {""title"": ""**STEP 3** - Configure the Cloud Admin API to start ingesting Admin event logs into Microsoft Sentinel."", ""description"": ""Provide the required values below:\n"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Admin API URL"", ""placeholder"": ""https://.access.securid.com/AdminInterface/restapi/v1/adminlog/exportLogs"", ""type"": ""text"", ""name"": ""Admin-API-URL""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""JWT Token"", ""placeholder"": ""Enter your JWT Token"", ""type"": ""password"", ""name"": ""access_token""}}]}, {""title"": ""**STEP 4** - Click Connect"", ""description"": ""Verify all the fields above were filled in correctly. Press Connect to start the connector."", ""instructions"": [{""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""connect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""RSA ID Plus API Authentication"", ""description"": ""To access the Admin APIs, a valid Base64URL encoded JWT token, signed with the client's Legacy Administration API key is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Data%20Connectors/RSIDPlus_AdminLogs_Connector_CCP/RSAIDPlus_AdminLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","RSAIDPlus_AdminLogs_Connector","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Data%20Connectors/RSIDPlus_AdminLogs_Connector_CCP/RSAIDPlus_AdminLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RSAIDPlus_AdminLogs_Connector/Data%20Connectors/RSIDPlus_AdminLogs_Connector_CCP/RSAIDPlus_AdminLogs_Poller.json","APIKey","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#rsa-id-plus-admin-logs-connector" @@ -473,12 +481,12 @@ "RubrikProtectionStatus","Rubrik, Inc","Rubrik Security Cloud Protection Status (using Codeless Connector Framework)","The Rubrik Security Cloud Protection Status data connector allows you to ingest protection and compliance status information from RSC into Microsoft Sentinel.","[{""title"": ""1. Enter Rubrik Security Cloud Credentials"", ""description"": ""Provide your RSC API credentials to enable data collection."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""**Configuration Steps:**\n\n1. **RSC URL** - Your organization's RSC URL (e.g., `https://your-org.my.rubrik.com`)\n2. **Client ID** - Service account client ID from RSC (format: `client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`)\n3. **Client Secret** - Service account client secret from RSC\n\n**To create a service account in RSC:**\n- Go to RSC \u2192 Settings \u2192 Access Management \u2192 Service Accounts\n- Create new service account with appropriate API permissions\n- Note the Client ID and Client Secret""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""RSC URL"", ""placeholder"": ""https://your-org.my.rubrik.com"", ""type"": ""text"", ""name"": ""rscUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client ID"", ""placeholder"": ""client|xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"", ""type"": ""text"", ""name"": ""clientId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client Secret"", ""placeholder"": ""Enter Client Secret"", ""type"": ""password"", ""name"": ""clientSecret""}}]}, {""title"": ""2. Connect to Rubrik Security Cloud"", ""description"": ""Click Connect to start data ingestion."", ""instructions"": [{""type"": ""ConnectionToggleButton"", ""parameters"": {}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Data%20Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","RubrikSecurityCloud","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Data%20Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Data%20Connectors/RubrikSecurityCloud_CCF/RubrikSecurityCloud_PollerConfig.json","OAuth2;POST","","","","" "RubrikSecurityCloudAzureFunctions","Rubrik, Inc","Rubrik Security Cloud data connector","The Rubrik Security Cloud data connector enables security operations teams to integrate insights from Rubrik's Data Observability services into Microsoft Sentinel. The insights include identification of anomalous filesystem behavior associated with ransomware and mass deletion, assess the blast radius of a ransomware attack, and sensitive data operators to prioritize and more rapidly investigate potential incidents.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Rubrik webhook which push its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Rubrik Microsoft Sentinel data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Rubrik connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-RubrikWebhookEvents-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tAnomaliesTableName \n\t\tRansomwareAnalysisTableName \n\t\tThreatHuntsTableName \n\t\tEventsTableName \n\t\tLogLevel \n \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Rubrik Microsoft Sentinel data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-RubrikWebhookEvents-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. RubrikXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tAnomaliesTableName\n\t\tRansomwareAnalysisTableName\n\t\tThreatHuntsTableName\n\t\tEventsTableName\n\t\tLogLevel\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: https://.ods.opinsights.azure.us. \n4. Once all application settings have been entered, click **Save**.""}, {""title"": """", ""description"": ""**Post Deployment steps**\n\n""}, {""title"": ""1) Get the Function app endpoint"", ""description"": ""1. Go to Azure function Overview page and Click on **\""Functions\""** tab.\n2. Click on the function called **\""RubrikHttpStarter\""**.\n3. Go to **\""GetFunctionurl\""** and copy the function url.""}, {""title"": ""2) Add a webhook in RubrikSecurityCloud to send data to Microsoft Sentinel."", ""description"": ""Follow the Rubrik User Guide instructions to [Add a Webhook](https://docs.rubrik.com/en-us/saas/saas/common/adding_webhook.html) to begin receiving event information \n 1. Select the Microsoft Sentinel as the webhook Provider \n 2. Enter the desired Webhook name \n 3. Enter the URL part from copied Function-url as the webhook URL endpoint and replace **{functionname}** with **\""RubrikAnomalyOrchestrator\""**, for the Rubrik Microsoft Sentinel Solution \n 4. Select the EventType as Anomaly \n 5. Select the following severity levels: Critical, Warning, Informational \n 6. Choose multiple log types, if desired, when running **\""RubrikEventsOrchestrator\""** \n 7. Repeat the same steps to add webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events.\n \n\n NOTE: while adding webhooks for Anomaly Detection Analysis, Threat Hunt and Other Events, replace **{functionname}** with **\""RubrikRansomwareOrchestrator\""**, **\""RubrikThreatHuntOrchestrator\""** and **\""RubrikEventsOrchestrator\""** respectively in copied function-url.""}, {""title"": """", ""description"": ""*Now we are done with the rubrik Webhook configuration. Once the webhook events triggered , you should be able to see the Anomaly, Anomaly Detection Analysis, Threat Hunt events and Other Events from the Rubrik into respective LogAnalytics workspace table called \""Rubrik_Anomaly_Data_CL\"", \""Rubrik_Ransomware_Data_CL\"", \""Rubrik_ThreatHunt_Data_CL\"", and \""Rubrik_Events_Data_CL\"".*\n\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/RubrikSecurityCloud/Data%20Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","RubrikSecurityCloud","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#rubrik-security-cloud-data-connector-using-azure-functions" "SAPBTPAuditEvents","Microsoft","SAP BTP","SAP Business Technology Platform (SAP BTP) brings together data management, analytics, artificial intelligence, application development, automation, and integration in one, unified environment.","[{""description"": ""**Step 1 - Configuration steps for the SAP BTP Audit Retrieval API**\n\nFollow the steps provided by SAP [see Audit Log Retrieval API for Global Accounts in the Cloud Foundry Environment](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can mass onboard BTP subaccounts by using [provided tools](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20BTP/Tools).""}, {""description"": ""Connect using OAuth client credentials"", ""title"": ""Connect events from SAP BTP to Microsoft Sentinel"", ""instructions"": [{""type"": ""ContextPane"", ""parameters"": {""contextPaneType"": ""DataConnectorsContextPane"", ""label"": ""Add account"", ""isPrimary"": true, ""title"": ""BTP connection"", ""instructionSteps"": [{""title"": ""Account Details"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Subaccount name (e.g. Contoso). This will be projected to the InstanceName column."", ""placeholder"": ""no space or special character allowed!"", ""type"": ""text"", ""name"": ""subaccountName""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Subaccount ID (GUID)"", ""placeholder"": ""SubaccountId property from the BTP service key JSON"", ""type"": ""text"", ""name"": ""subaccountId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SAP BTP Client ID"", ""placeholder"": ""Client ID"", ""type"": ""text"", ""name"": ""clientId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SAP BTP Client Secret"", ""placeholder"": ""Client Secret"", ""type"": ""password"", ""name"": ""clientSecret""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Authorization server URL (UAA server)"", ""placeholder"": ""https://your-tenant.authentication.region.hana.ondemand.com"", ""type"": ""text"", ""name"": ""authServerUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Audit Retrieval API URL"", ""placeholder"": ""https://auditlog-management.cfapps.region.hana.ondemand.com"", ""type"": ""text"", ""name"": ""auditHost""}}]}, {""title"": ""Advanced"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Polling Frequency (minutes, 1-15)"", ""placeholder"": ""1"", ""type"": ""text"", ""description"": ""Frequency to poll for new BTP audit logs."", ""name"": ""pollingFrequencyMinutes"", ""defaultValue"": ""1""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Log Ingest Delay (minutes, 1-120)"", ""placeholder"": ""20"", ""type"": ""text"", ""description"": ""Delay to account for SAP BTP audit logs published late."", ""name"": ""ingestDelayMinutes"", ""defaultValue"": ""20""}}]}]}}]}, {""title"": ""Subaccounts"", ""description"": ""Each row represents a connected subaccount"", ""instructions"": [{""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Subaccount Name"", ""columnValue"": ""properties.addOnAttributes.SubaccountName""}, {""columnName"": ""Subaccount ID"", ""columnValue"": ""name""}, {""columnName"": ""Polling Frequency (minutes)"", ""columnValue"": ""properties.request.queryWindowInMin""}], ""menuItems"": [""DeleteConnector""]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Client Id and Client Secret for Audit Retrieval API"", ""description"": ""Enable API access in BTP.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20BTP/Data%20Connectors/SAPBTPPollerConnector/SAPBTP_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SAP BTP","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20BTP/Data%20Connectors/SAPBTPPollerConnector/SAPBTP_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20BTP/Data%20Connectors/SAPBTPPollerConnector/SAPBTP_PollingConfig.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sap-btp" -"SAPCC","Microsoft","Microsoft Sentinel for SAP applications - agentless","Modern agentless ingestion of SAP NetWeaver/ABAP/HANA telemetry into Microsoft Sentinel via the Codeless Connector Framework (CCF). Streams ABAPAuditLog, ABAPChangeDocsLog, ABAPUserDetails, ABAPAuthorizationDetails, and SentinelHealth as defined in Solutions/SAP/Tools/IntegrationSuite/SAPCC_DCR.json. Recommended modern path alongside the agent-based MicrosoftSentinelSAP connector.","","","false","","","Unknown","Method not detected","","","","","false","SAP","false","","false","","","","","","","" +"SAPCC","Microsoft","Microsoft Sentinel for SAP applications - agentless","Modern agentless ingestion of SAP NetWeaver/ABAP/HANA telemetry into Microsoft Sentinel via the Codeless Connector Framework (CCF). Streams ABAPAuditLog, ABAPChangeDocsLog, ABAPUserDetails, ABAPAuthorizationDetails, and SentinelHealth as defined in Solutions/SAP/Tools/IntegrationSuite/SAPCC_DCR.json. Recommended modern path alongside the agent-based MicrosoftSentinelSAP connector.","","","false","","","Unknown","Method not detected","","","","","false","SAP","false","","true","","","","","","","" "SAPETDAlerts","SAP","SAP Enterprise Threat Detection, cloud edition","The SAP Enterprise Threat Detection, cloud edition (ETD) data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.","[{""description"": ""**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount.\n\n>**TIP:** Use the [shared blog series](https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/sap-enterprise-threat-detection-cloud-edition-joins-forces-with-microsoft/ba-p/13942075) for additional info.""}, {""description"": ""Connect using OAuth client credentials"", ""title"": ""Connect events from SAP ETD to Microsoft Sentinel"", ""instructions"": [{""type"": ""ContextPane"", ""parameters"": {""contextPaneType"": ""DataConnectorsContextPane"", ""label"": ""Add account"", ""isPrimary"": true, ""title"": ""ETD connection"", ""instructionSteps"": [{""title"": ""Account Details"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""SAP ETD Client ID"", ""placeholder"": ""Client ID"", ""type"": ""text"", ""name"": ""clientId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SAP ETD Client Secret"", ""placeholder"": ""Client Secret"", ""type"": ""password"", ""name"": ""clientSecret""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Authorization server URL (UAA server)"", ""placeholder"": ""https://your-tenant.authentication.region.hana.ondemand.com/oauth/token"", ""type"": ""text"", ""name"": ""authServerUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SAP ETD data retrieval API URL"", ""placeholder"": ""https://your-etd-cloud-data-retrieval-service.cfapps.region.hana.ondemand.com"", ""type"": ""text"", ""name"": ""etdHost""}}]}]}}]}, {""title"": ""ETD accounts"", ""description"": ""Each row represents a connected ETD account"", ""instructions"": [{""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Data retrieval endpoint"", ""columnValue"": ""properties.request.apiEndpoint""}], ""menuItems"": [""DeleteConnector""]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Client Id and Client Secret for ETD Retrieval API"", ""description"": ""Enable API access in ETD.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20ETD%20Cloud/Data%20Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SAP ETD Cloud","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20ETD%20Cloud/Data%20Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20ETD%20Cloud/Data%20Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sap-enterprise-threat-detection-cloud-edition" "SAPLogServ","SAP SE","SAP LogServ (RISE), S/4HANA Cloud private edition","SAP LogServ is an SAP Enterprise Cloud Services (ECS) service aimed at collection, storage, forwarding and access of logs. LogServ centralizes the logs from all systems, applications, and ECS services used by a registered customer.
Main Features include:
Near Realtime Log Collection: With ability to integrate into Microsoft Sentinel as SIEM solution.
LogServ complements the existing SAP application layer threat monitoring and detections in Microsoft Sentinel with the log types owned by SAP ECS as the system provider. This includes logs like: SAP Security Audit Log (AS ABAP), HANA database, AS JAVA, ICM, SAP Web Dispatcher, SAP Cloud Connector, OS, SAP Gateway, 3rd party Database, Network, DNS, Proxy, Firewall","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""We will create data collection rule (DCR) and data collection endpoint (DCE) resources. We will also create a Microsoft Entra app registration and assign the required permissions to it."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated deployment of Azure resources\nClicking on \""Deploy push connector resources\"" will trigger the creation of DCR and DCE resources.\nIt will then create a Microsoft Entra app registration with client secret and grant permissions on the DCR. This setup enables data to be sent securely to the DCR using a OAuth v2 client credentials.""}}, {""parameters"": {""label"": ""Deploy push connector resources"", ""applicationDisplayName"": ""SAP LogServ push to Microsoft Sentinel""}, ""type"": ""DeployPushConnectorButton_test""}]}, {""title"": ""2. Maintain the data collection endpoint details and authentication info in SAP LogServ"", ""description"": ""Share the data collection endpoint URL and authentication info with the SAP LogServ administrator to configure the SAP LogServ to send data to the data collection endpoint.\n\nLearn more from [this blog series](https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-members/ultimate-blog-series-sap-logserv-integration-with-microsoft-sentinel/ba-p/14126401)."", ""instructions"": [{""parameters"": {""label"": ""Use this value to configure as Tenant ID in the LogIngestionAPI credential."", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra Application Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the Application Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Use this value to configure the LogsIngestionURL parameter when deploying the IFlow."", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the DCE URI""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""DCR Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the DCR ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rules. Typically requires Azure RBAC Owner or User Access Administrator role.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20LogServ/Data%20Connectors/SAPLogServ.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","SAP LogServ","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20LogServ/Data%20Connectors/SAPLogServ_PUSH_CCP/SAPLogServ_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20LogServ/Data%20Connectors/SAPLogServ_PUSH_CCP/SAPLogServ_dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sap-logserv-rise-s4hana-cloud-private-edition" "SAPS4PublicAlerts","SAP","SAP S/4HANA Cloud Public Edition","The SAP S/4HANA Cloud Public Edition (GROW with SAP) data connector enables ingestion of SAP's security audit log into the Microsoft Sentinel Solution for SAP, supporting cross-correlation, alerting, and threat hunting. Looking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts).","[{""description"": ""**Step 1 - Configuration steps for SAP S/4HANA Cloud Public Edition**\n\nTo connect to SAP S/4HANA Cloud Public Edition, you will need:\n\n1. Configure a communication arrangement for communication scenario **[SAP_COM_0750](https://help.sap.com/docs/SAP_S4HANA_CLOUD/0f69f8fb28ac4bf48d2b57b9637e81fa/a93dca70e2ce43d19ac93e3e5531e37d.html)** \n\n2. SAP S/4HANA Cloud Public Edition tenant **API URL**\n3. Valid **communication user (username and password)** for your SAP S/4HANA Cloud system\n4. **Appropriate authorizations** to access audit log data via OData services\n\n>**NOTE:** This connector supports Basic authentication. Looking for alternative authentication mechanisms? See [here](https://github.com/Azure-Samples/Sentinel-For-SAP-Community/tree/main/integration-artifacts)""}, {""description"": ""Connect using Basic authentication"", ""title"": ""Connect events from SAP S/4HANA Cloud Public Edition to Microsoft Sentinel Solution for SAP"", ""instructions"": [{""type"": ""ContextPane"", ""parameters"": {""contextPaneType"": ""DataConnectorsContextPane"", ""label"": ""Add account"", ""isPrimary"": true, ""title"": ""S/4HANA Cloud Public Edition connection"", ""instructionSteps"": [{""title"": ""Account Details"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Username"", ""placeholder"": ""Enter your SAP S/4HANA Cloud username"", ""type"": ""text"", ""name"": ""username""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Password"", ""placeholder"": ""Enter your SAP S/4HANA Cloud password"", ""type"": ""password"", ""name"": ""password""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SAP S/4HANA Cloud API URL"", ""placeholder"": ""https://my123456-api.s4hana.cloud.sap"", ""type"": ""text"", ""name"": ""s4hanaHost""}}]}]}}]}, {""title"": ""S/4HANA Cloud Public Edition connections"", ""description"": ""Each row represents a connected S/4HANA Cloud Public Edition system"", ""instructions"": [{""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""S/4HANA Cloud API endpoint"", ""columnValue"": ""properties.request.apiEndpoint""}], ""menuItems"": [""DeleteConnector""]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Client Id and Client Secret for Audit Retrieval API"", ""description"": ""Enable API access in BTP.""}, {""name"": ""Microsoft Sentinel for SAP content package (60+ analytic rules, workbooks, parsers, and more)"", ""description"": ""Deploy from Microsoft Sentinel content hub.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20S4%20Cloud%20Public%20Edition/Data%20Connectors/SAPS4PublicPollerConnector/SAPS4Public_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SAP S4 Cloud Public Edition","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20S4%20Cloud%20Public%20Edition/Data%20Connectors/SAPS4PublicPollerConnector/SAPS4Public_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20S4%20Cloud%20Public%20Edition/Data%20Connectors/SAPS4PublicPollerConnector/SAPS4Public_PollingConfig.json","Basic;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sap-s4hana-cloud-public-edition" "SOCPrimeAuditLogsDataConnector","Microsoft","SOC Prime Platform Audit Logs Data Connector","The [SOC Prime Audit Logs](https://tdm.socprime.com/login) data connector allows ingesting logs from the SOC Prime Platform API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SOC Prime Platform API to fetch SOC Prime platform audit logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table, thus resulting in better performance.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the SOC Prime Platform API \n Follow the instructions to obtain the credentials. you can also follow this [guide](https://tdm.socprime.com/login) to generate personal API key.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### Retrieve API Key\n 1. Log in to the SOC Prime Platform\n 2. Click [**Account**] icon -> [**Platform Settings**] -> [**API**] \n 3. Click [**Add New Key**] \n 4. In the modal that appears give your key a meaningful name, set expiration date and product APIs the key provides access to \n 5. Click on [**Generate**] \n 6. Copy the key and save it in a safe place. You won't be able to view it again once you close this modal ""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SOC Prime API Key"", ""placeholder"": ""API Key"", ""type"": ""password"", ""name"": ""apitoken""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC%20Prime%20CCF/Data%20Connectors/SOCPrime_ccp/SOCPrime_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SOC Prime CCF","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC%20Prime%20CCF/Data%20Connectors/SOCPrime_ccp/SOCPrime_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC%20Prime%20CCF/Data%20Connectors/SOCPrime_ccp/SOCPrime_PollingConfig.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#soc-prime-platform-audit-logs-data-connector" -"SSG","Siemens AG","SINEC Security Guard","The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel","[{""description"": ""This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace."", ""instructions"": [{""parameters"": {""title"": ""1. Please follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Set up the SINEC Security Guard Sensor"", ""description"": ""Detailed step for setting up the sensor.""}, {""title"": ""Create the Data Connector and configure it in the SINEC Security Guard web interface"", ""description"": ""Instructions on configuring the data connector.""}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC%20Security%20Guard/Data%20Connectors/data_connector_GenericUI.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","SINEC Security Guard","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","" +"SSG","Siemens AG","SINEC Security Guard","The SINEC Security Guard solution for Microsoft Sentinel allows you to ingest security events of your industrial networks from the [SINEC Security Guard](https://siemens.com/sinec-security-guard) into Microsoft Sentinel","[{""description"": ""This Data Connector relies on the SINEC Security Guard Sensor Package to be able to receive Sensor events in Microsoft Sentinel. The Sensor Package can be purchased in the Siemens Xcelerator Marketplace."", ""instructions"": [{""parameters"": {""title"": ""1. Please follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Set up the SINEC Security Guard Sensor"", ""description"": ""Detailed step for setting up the sensor.""}, {""title"": ""Create the Data Connector and configure it in the SINEC Security Guard web interface"", ""description"": ""Instructions on configuring the data connector.""}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SINEC%20Security%20Guard/Data%20Connectors/data_connector_GenericUI.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","SINEC Security Guard","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","" "SailPointIdentityNow","SailPoint","SailPoint IdentityNow","The [SailPoint](https://www.sailpoint.com/) IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Microsoft Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It is intended to make it even easier to bring IdentityNow user activity and governance events into Microsoft Sentinel to improve insights from your security incident and event monitoring solution.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the SailPoint IdentityNow REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the SailPoint IdentityNow API**\n\n [Follow the instructions](https://community.sailpoint.com/t5/IdentityNow-Articles/Best-Practice-Using-Personal-Access-Tokens-in-IdentityNow/ta-p/150471) to obtain the credentials. \n""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SailPoint IdentityNow data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the SailPoint IdentityNow data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-sailpointidentitynow-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter other information and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the SailPoint IdentityNow data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-sailpointidentitynow-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. searcheventXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.9.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTENANT_ID\n\t\tSHARED_KEY\n\t\tLIMIT\n\t\tGRANT_TYPE\n\t\tCUSTOMER_ID\n\t\tCLIENT_ID\n\t\tCLIENT_SECRET\n\t\tAZURE_STORAGE_ACCESS_KEY\n\t\tAZURE_STORAGE_ACCOUNT_NAME\n\t\tAzureWebJobsStorage\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""SailPoint IdentityNow API Authentication Credentials"", ""description"": ""TENANT_ID, CLIENT_ID and CLIENT_SECRET are required for authentication.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Data%20Connectors/SailPoint_IdentityNow_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","SailPointIdentityNow","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "SailPointIdentityNowConnector","Microsoft","SailPoint IdentityNow (via Codeless Connector Framework)","The [SailPoint](https://www.sailpoint.com/) IdentityNow data connector provides the capability to ingest [SailPoint IdentityNow] search events into Microsoft Sentinel through the REST API. The connector provides customers the ability to extract audit information from their IdentityNow tenant. It supports connecting multiple SailPoint IdentityNow tenants simultaneously - each identified by its unique Tenant ID and domain - making it easy to monitor multiple environments (production, demo, partner) from a single Microsoft Sentinel workspace. Refer to [SailPoint Developer Documentation](https://developer.sailpoint.com/docs/api/authentication/) for API authentication details.","[{""title"": ""Prerequisites"", ""description"": """", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. Find your Tenant ID and Domain\nYour **Tenant ID** is the subdomain of your SailPoint URL.\n\n| Environment | Your URL | Tenant ID | Domain |\n|---|---|---|---|\n| Production | `https://acme.identitynow.com` | `acme` | `identitynow.com` |\n| Demo/Partner | `https://ta-partner19947.identitynow-demo.com` | `ta-partner19947` | `identitynow-demo.com` |\n\nThe connector will call: `https://{Tenant ID}.api.{Domain}/v2025/search/events`""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Create an API Client\n1. In the SailPoint admin console, go to **Admin > Global > Security Settings > API Management**.\n2. Click **+ New** to create a new API client.\n3. Enable **Client Credentials** grant type.\n4. Copy the generated **Client ID** and **Client Secret** - the secret is only shown once.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 3. Assign the required scope\nEnsure the API client has the `sp:search:read` scope to query the Search API.""}}]}, {""title"": ""SailPoint IdentityNow Connections"", ""description"": ""Add and manage connections to your SailPoint IdentityNow tenants. You can connect multiple tenants simultaneously."", ""instructions"": [{""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Tenant ID"", ""columnValue"": ""properties.addOnAttributes.tenantId""}, {""columnName"": ""Domain"", ""columnValue"": ""properties.addOnAttributes.identityNowDomain""}, {""columnName"": ""Data Type"", ""columnValue"": ""properties.dataType""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""label"": ""Add Connection"", ""title"": ""Add SailPoint IdentityNow Connection"", ""subtitle"": ""Connect a SailPoint IdentityNow tenant to Microsoft Sentinel"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Tenant ID"", ""placeholder"": ""e.g. acme or ta-partner19947"", ""type"": ""text"", ""name"": ""tenantId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""IdentityNow Domain"", ""placeholder"": ""e.g. identitynow.com or identitynow-demo.com"", ""type"": ""text"", ""name"": ""identityNowDomain"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client ID"", ""placeholder"": ""Enter your OAuth2 Client ID"", ""type"": ""text"", ""name"": ""clientId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client Secret"", ""placeholder"": ""Enter your OAuth2 Client Secret"", ""type"": ""password"", ""name"": ""clientSecret"", ""validations"": {""required"": true}}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""SailPoint IdentityNow OAuth2 Client Credentials"", ""description"": ""An OAuth2 **Client ID** and **Client Secret** with the `sp:search:read` scope are required. Create an API client in your SailPoint admin console under **Admin > Global > Security Settings > API Management**. [See the documentation](https://developer.sailpoint.com/docs/api/authentication/) for step-by-step instructions.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Data%20Connectors/SearchEvent_CCF/SailPointIdentityNow_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SailPointIdentityNow","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Data%20Connectors/SearchEvent_CCF/SailPointIdentityNow_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SailPointIdentityNow/Data%20Connectors/SearchEvent_CCF/SailPointIdentityNow_PollerConfig.json","OAuth2;POST","","","","" "SalesForceRTEMConnector","Microsoft","SalesForce Real-Time Event Monitoring Connector (via Codeless Connector Framework)","The Salesforce Real-Time Event Monitoring (RTEM) Connector provides the capability to ingest information about your Salesforce real time events using Object for Event Storage into Microsoft Sentinel through the REST API. The connector provides ability to review events in your org on an accelerated basis, get [real-time event data](https://developer.salesforce.com/docs/atlas.en-us.platform_events.meta/platform_events/platform_events_objects_monitoring.htm) for recent activity.","[{""title"": ""Connect to Salesforce Event Monitoring to start collecting real-time event monitoring logs in Microsoft Sentinel"", ""description"": ""Follow [Create a Connected App in Salesforce for OAuth](https://help.salesforce.com/s/articleView?id=platform.ev_relay_create_connected_app.htm&type=5) and [Configure a Connected App for the OAuth 2.0 Client Credentials Flow](https://help.salesforce.com/s/articleView?id=xcloud.connected_app_client_credentials_setup.htm&type=5) to create a Connected App with access to the Salesforce Event Monitoring API. Through those instructions, you should get the Consumer Key and Consumer Secret.\n For Salesforce Domain name, Go to Setup, type My Domain in the Quick Find box, and select My Domain to view your domain details. Make sure to enter the domain name without a trailing slash (e.g., https://your-domain.my.salesforce.com). Fill the form below with that information."", ""instructions"": [{""type"": ""InfoMessage"", ""parameters"": {""text"": ""**Required Add-on subscription:** Your Salesforce account should include Salesforce Shield or Salesforce Event Monitoring add-on subscriptions for this connector to work."", ""visible"": true, ""inline"": true}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Connector Alias"", ""columnValue"": ""properties.addOnAttributes.friendlyName""}, {""columnName"": ""Salesforce Base URL"", ""columnValue"": ""properties.addOnAttributes.apiUrl""}, {""columnName"": ""Data Type"", ""columnValue"": ""properties.addOnAttributes.dataType""}, {""columnName"": ""Grant Type"", ""columnValue"": ""properties.addOnAttributes.grantType""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add Connection"", ""title"": ""Configure API Connection"", ""subtitle"": ""Connect to Salesforce to ingest data"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""title"": ""Base Configuration"", ""description"": ""Configure your Salesforce API connection"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Connection Alias"", ""placeholder"": ""Production or Sandbox"", ""type"": ""text"", ""name"": ""friendlyName"", ""validations"": {""required"": true}}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Enter a unique alias to identify this Salesforce connection. **Important**: Use different aliases for each domain. To update an existing connection, use the same alias or delete and create with the same alias. To replace a connection, delete the old one and create a new one with a new alias."", ""visible"": true, ""inline"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Salesforce Base URL"", ""placeholder"": ""Example: https://your-domain.my.salesforce.com"", ""type"": ""url"", ""name"": ""salesforceBaseUrl"", ""validations"": {""required"": true}}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""Enter the base URL of your Salesforce instance without trailing slash (e.g., https://your-domain.my.salesforce.com)"", ""visible"": true, ""inline"": true}}, {""type"": ""Dropdown"", ""parameters"": {""label"": ""Data Types"", ""name"": ""selectedDataTypes"", ""options"": [{""key"": ""ApiAnomalyEventStore"", ""text"": ""ApiAnomalyEventStore""}, {""key"": ""ApiEvent"", ""text"": ""ApiEvent""}, {""key"": ""BulkApiResultEventStore"", ""text"": ""BulkApiResultEventStore""}, {""key"": ""CredentialStuffingEventStore"", ""text"": ""CredentialStuffingEventStore""}, {""key"": ""FileEventStore"", ""text"": ""FileEventStore""}, {""key"": ""GuestUserAnomalyEventStore"", ""text"": ""GuestUserAnomalyEventStore""}, {""key"": ""IdentityVerificationEvent"", ""text"": ""IdentityVerificationEvent""}, {""key"": ""IdentityProviderEventStore"", ""text"": ""IdentityProviderEventStore""}, {""key"": ""LightningUriEvent"", ""text"": ""LightningUriEvent""}, {""key"": ""ListViewEvent"", ""text"": ""ListViewEvent""}, {""key"": ""LoginAnomalyEventStore"", ""text"": ""LoginAnomalyEventStore""}, {""key"": ""LoginAsEvent"", ""text"": ""LoginAsEvent""}, {""key"": ""LoginEvent"", ""text"": ""LoginEvent""}, {""key"": ""LogoutEvent"", ""text"": ""LogoutEvent""}, {""key"": ""PermissionSetEventStore"", ""text"": ""PermissionSetEventStore""}, {""key"": ""ReportAnomalyEventStore"", ""text"": ""ReportAnomalyEventStore""}, {""key"": ""ReportEvent"", ""text"": ""ReportEvent""}, {""key"": ""SessionHijackingEventStore"", ""text"": ""SessionHijackingEventStore""}, {""key"": ""UniversalAnomalyEventStore"", ""text"": ""UniversalAnomalyEventStore""}, {""key"": ""UriEvent"", ""text"": ""UriEvent""}], ""placeholder"": ""Select data types to collect..."", ""isMultiSelect"": true, ""defaultAllSelected"": true, ""required"": true}}]}, {""title"": ""OAuth2 Credentials"", ""description"": ""Configure OAuth2 credentials for API access"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""### OAuth2 Client Credentials""}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""The Salesforce connector supports two types of OAuth2 client credentials flow to authenticate with all API endpoints - Client Credentials and Username-Password. These credentials provide access to the selected data stream."", ""visible"": true, ""inline"": true}}, {""type"": ""InfoMessage"", ""parameters"": {""text"": ""**Important:** For legacy or classic setup, ensure that the security token is appended to your password for the password-based grant type authentication to work. For lightning, passing just the password should work. For more information, refer to the [OAuth 2.0 Username-Password Flow for Special Scenarios](https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_username_password_flow.htm&type=5)."", ""visible"": true, ""inline"": true}}, {""type"": ""Radio"", ""parameters"": {""title"": ""Grant Type"", ""name"": ""salesforceGrantType"", ""validations"": {""required"": true}, ""options"": [{""label"": ""Client Credentials"", ""value"": ""client_credentials"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Consumer Key"", ""placeholder"": ""Enter Connected App Consumer Key"", ""type"": ""text"", ""name"": ""clientId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Consumer Secret"", ""placeholder"": ""Enter Connected App Consumer Secret"", ""type"": ""password"", ""name"": ""clientSecret"", ""validations"": {""required"": true}}}]}, {""label"": ""Password"", ""value"": ""password"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Consumer Key"", ""placeholder"": ""Enter Connected App Consumer Key"", ""type"": ""text"", ""name"": ""clientId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Consumer Secret"", ""placeholder"": ""Enter Connected App Consumer Secret"", ""type"": ""password"", ""name"": ""clientSecret"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Username"", ""placeholder"": ""Enter your Salesforce username"", ""type"": ""text"", ""name"": ""username"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Password"", ""placeholder"": ""Enter your Salesforce password"", ""type"": ""password"", ""name"": ""password"", ""validations"": {""required"": true}}}]}]}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read, Write, and Delete permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""Salesforce Event Monitoring API access"", ""description"": ""Access to the Salesforce Event Monitoring API through a Connected App is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce%20Service%20Cloud/Data%20Connectors/SalesForceRealTimeEventMonitoringConnector_CCF/SalesforceRealTimeEventMonitoring_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Salesforce Service Cloud","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce%20Service%20Cloud/Data%20Connectors/SalesForceRealTimeEventMonitoringConnector_CCF/SalesforceRealTimeEventMonitoring_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce%20Service%20Cloud/Data%20Connectors/SalesForceRealTimeEventMonitoringConnector_CCF/SalesforceRealTimeEventMonitoring_PollingConfig.json","OAuth2;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#salesforce-real-time-event-monitoring-connector-via-codeless-connector-framework" @@ -495,7 +503,7 @@ "SecurityScorecardRatingsAzureFunctions","SecurityScorecard","SecurityScorecard Cybersecurity Ratings","SecurityScorecard is the leader in cybersecurity risk ratings. The [SecurityScorecard](https://www.SecurityScorecard.com/) data connector provides the ability for Sentinel to import SecurityScorecard ratings as logs. SecurityScorecard provides ratings for over 12 million companies and domains using countless data points from across the internet. Maintain full awareness of any company's security posture and be able to receive timely updates when scores change or drop. SecurityScorecard ratings are updated daily based on evidence collected across the web.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the SecurityScorecard API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the SecurityScorecard API**\n\n Follow these instructions to create/get a SecurityScorecard API token.\n 1. As an administrator in SecurityScorecard, navigate to My Settings and then Users\n 2. Click '+ Add User'\n 3. In the form, check off 'Check to create a bot user'\n 4. Provide a name for the Bot and provide it with Read Only permission\n 5. Click 'Add User'\n 6. Locate the newly created Bot user\n 7. Click 'create token' in the Bot user's row\n 8. Click 'Confirm' and note the API token that has been generated""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SecurityScorecard Ratings data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the SecurityScorecard API Authorization Key(s)"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the SecurityScorecard Ratings connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SecurityScorecardRatingsAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tSecurityScorecard API Key \n\t\tSecurityScorecard Base URL (https://api.securityscorecard.io) \n\t\tDomain \n\t\tPortfolio IDs (Coma separated IDs) \n\t\tSecurityScorecard Ratings Table Name (Default: SecurityScorecardRatings) \n\t\tLevel Ratings Change (Default: 7) \n\t\tRatings Schedule (Default: 0 45 * * * *) \n\t\tDiff Override Own Ratings (Default: true) \n\t\tDiff Override Portfolio Ratings (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the SecurityScorecard Ratings data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SecurityScorecardRatingsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SecurityScorecardXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tSecurityScorecard API Key \n\t\tSecurityScorecard Base URL (https://api.securityscorecard.io) \n\t\tDomain \n\t\tPortfolio IDs (Coma separated IDs) \n\t\tSecurityScorecard Ratings Table Name (Default: SecurityScorecardRatings) \n\t\tLevel Ratings Change (Default: 7) \n\t\tRatings Schedule (Default: 0 45 * * * *) \n\t\tDiff Override Own Ratings (Default: true) \n\t\tDiff Override Portfolio Ratings (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**SecurityScorecard API Key** is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityScorecard%20Cybersecurity%20Ratings/Data%20Connectors/SecurityScorecardRatings/SecurityScorecardRatings_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","SecurityScorecard Cybersecurity Ratings","false","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "SemperisDSP","SEMPERIS","Semperis Directory Services Protector","Semperis Directory Services Protector data connector allows for the export of its Windows event logs (i.e. Indicators of Exposure and Indicators of Compromise) to Microsoft Sentinel in real time.
It provides a data parser to manipulate the Windows event logs more easily. The different workbooks ease your Active Directory security monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**dsp_parser**](https://aka.ms/sentinel-SemperisDSP-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": ""**Configure Windows Security Events via AMA connector**"", ""description"": ""Collect Windows security events logs from your **Semperis DSP Management Server** .""}, {""title"": ""1. Install the Azure Monitor Agent (AMA)"", ""description"": ""On your **Semperis DSP Management Server** install the AMA on the DSP machine that will act as the event log forwarder.\nYou can skip this step if you have already installed the Microsoft agent for Windows""}, {""title"": ""2. Create a Data Collection Rule (DCR)"", ""description"": ""Start collecting logs from the **Semperis DSP Management Server** .\n\n1. In the Azure portal, navigate to your **Log Analytics workspace**.\n2. In the left pane, click on **Configuration** and then **Data connectors**.\n3. Find and install the **the Windows Security Events via AMA** connector.\n4. Click on **Open connector** and then on **Create data collection rule**.\n5. Configure the DCR with the necessary details, such as the log sources and the destination workspace."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Semperis DSP Management Server"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""**Configure Common Event Format via AMA connector**"", ""description"": ""Collect syslog messages send from your **Semperis DSP Management Server** .""}, {""title"": ""1. Install the Azure Monitor Agent (AMA)"", ""description"": ""Install the AMA on the Linux machine that will act as the log forwarder. This machine will collect and forward CEF logs to Microsoft Sentinel.\nYou can skip this step if you have already installed the Microsoft agent for Linux""}, {""title"": ""2. Create a Data Collection Rule (DCR)"", ""description"": ""Start collecting logs from the **Semperis DSP Management Server** .\n\n1. In the Azure portal, navigate to your **Log Analytics workspace**.\n2. In the left pane, click on **Configuration** and then **Data connectors**.\n3. Find and install the **the Common Event Format via AMA** connector.\n4. Click on **Open connector** and then on **Create data collection rule**.\n5. Configure the DCR with the necessary details, such as the log sources and the destination workspace."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Semperis DSP Management Server"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""3. Configure sending CEF logs on your Semperis DSP Management Server"", ""description"": ""Configure your **Semperis DSP Management Server** to send CEF logs to the Linux machine where the AMA is installed. This involves setting the destination IP address and port for the CEF logs""}, {""title"": """", ""description"": ""> You should now be able to receive logs in the *Windows event log* table and *common log* table, log data can be parsed using the **dsp_parser()** function, used by all query samples, workbooks and analytic templates.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis%20Directory%20Services%20Protector/Data%20Connectors/SemperisDSP-connector.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","SecurityEvent.EventID in ""9208,9211,9212"" | SecurityEvent.EventSourceName == ""Semperis-DSP-Security""","false","Semperis Directory Services Protector","false","","true","","","","","","","" "SemperisLightningLogsAzureFunctions","Semperis","Semperis Lightning Logs","The [Semperis Lightning](https://www.semperis.com/platform/) connector uses Azure Functions to ingest Semperis Lightning identity security data into Microsoft Sentinel. The connector deploys an Azure Function and collects data into custom Log Analytics tables for investigation and threat hunting.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to Semperis Lightning and pull data into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">Ensure the workspace is added to Microsoft Sentinel before deploying the connector.""}, {""title"": ""STEP 1 - Configure access for Semperis Lightning"", ""description"": ""1. Sign in to your Semperis Lightning tenant.\n2. Create or retrieve a valid **Semperis API Key** for connector access.\n3. Confirm your **Semperis Zone** value (**na** for North America or **eu** for Europe) for use during deployment.""}, {""title"": ""STEP 2 - Deploy the 'Semperis Lightning Logs' connector and the associated Azure Function"", ""description"": ""\n\n1. Click the **Deploy to Azure** button below.\n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-semperis-azuredeploy)""}, {""title"": ""STEP 3 - Set the connector parameters"", ""description"": ""1. Select the preferred **Subscription** and an existing **Resource Group**.\n2. Enter an existing **Log Analytics Workspace Resource ID** belonging to the resource group.\n3. Click **Next**.\n4. Enter your **Semperis API Key** and select the **Semperis Zone**.\n5. Optionally adjust the **Connector Schedule** (default: every 1 hour).\n6. Review the settings and click **Create**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Semperis Lightning API credentials"", ""description"": ""A Semperis Lightning **API Key** and selected **Zone** (na or eu) are required to authenticate the connector to Semperis Lightning.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SemperisLightning/Data%20Connectors/SemperisLightningLogs/SemperisLightningLogs_AzureFunction.json","","Azure Function","ID contains AzureFunction/FunctionApp","","","","","false","SemperisLightning","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#semperis-lightning-logs" -"SenservaPro","Senserva","SenservaPro (Preview)","The SenservaPro data connector provides a viewing experience for your SenservaPro scanning logs. View dashboards of your data, use queries to hunt & explore, and create custom alerts.","[{""title"": ""1. Setup the data connection"", ""description"": ""Visit [Senserva Setup](https://www.senserva.com/senserva-microsoft-sentinel-edition-setup/) for information on setting up the Senserva data connection, support, or any other questions. The Senserva installation will configure a Log Analytics Workspace for output. Deploy Microsoft Sentinel onto the configured Log Analytics Workspace to finish the data connection setup by following [this onboarding guide.](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Data%20Connectors/SenservaPro.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","SenservaPro","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" +"SenservaPro","Senserva","SenservaPro (Preview)","The SenservaPro data connector provides a viewing experience for your SenservaPro scanning logs. View dashboards of your data, use queries to hunt & explore, and create custom alerts.","[{""title"": ""1. Setup the data connection"", ""description"": ""Visit [Senserva Setup](https://www.senserva.com/senserva-microsoft-sentinel-edition-setup/) for information on setting up the Senserva data connection, support, or any other questions. The Senserva installation will configure a Log Analytics Workspace for output. Deploy Microsoft Sentinel onto the configured Log Analytics Workspace to finish the data connection setup by following [this onboarding guide.](https://docs.microsoft.com/azure/sentinel/quickstart-onboard)"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Data%20Connectors/SenservaPro.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","SenservaPro","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "SentinelIllumioInsightsGraphCCP","Illumio","Illumio Insights Graph","The Illumio Insights Graph connector Publishes AI-powered threat discovery and anomaly reports generated by the Illumio Insights Agent. Leveraging the MITRE ATT&CK framework, these reports surface high-fidelity insights into emerging threats and risky behaviors, directly into the Data Lake.","[{""title"": ""1. Configuration"", ""description"": ""Configure the Illumio Insights Graph connector."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""> This data connector may take 24 hrs for the latest report after onboarding""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the Illumio Insights Graph Connector\n\n**Prerequisites**\n- Register and Login to Illumio Console with valid credentials\n- Purchase Illumio Insights or Start a free Trial for Illumio Insights\n- Enable The Illumio Insights Agent\n\n**Step 1: Register the Service Account**\n1. Go to **Illumio Console \u2192 Access \u2192 Service Accounts**\n2. Create a service account for the tenant\n3. Once you create a service account, you will receive the client credentials\n4. Copy the **auth_username** (Illumio Insights API Key) and the **Secret** (API Secret)\n\n**Step 2: Add Client Credentials to Sentinel Account**\n- Add the API key and secret to Sentinel Account for tenant authentication\n- These credentials will be used to authenticate calls to the Illumio SaaS API \n\nPlease fill in the required fields below with the credentials obtained from the Illumio Console:""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Illumio Insights Api Key"", ""placeholder"": ""api_XXXXXX"", ""type"": ""password"", ""name"": ""apiKey""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Api Secret"", ""placeholder"": ""API Secret"", ""type"": ""password"", ""name"": ""apiToken""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Illumio Tenant ID"", ""placeholder"": ""{IllumioTenantId - Optional}"", ""type"": ""text"", ""name"": ""illumioTenantId""}}]}, {""title"": ""2. Connect"", ""description"": ""Enable the Illumio Insights Graph connector."", ""instructions"": [{""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""toggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Illumio Insight","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Insight/Data%20Connectors/IllumioInsightsGraph_CCP/IllumioInsightsGraph_PollingConfig.json","APIKey","","","","" "SentinelOne","SentinelOne","[DEPRECATED] SentinelOne (using Azure Function)","The [SentinelOne](https://www.sentinelone.com/) data connector provides the capability to ingest common SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. Refer to API documentation: `https://.sentinelone.net/api-doc/overview` for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the SentinelOne API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias SentinelOne and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Parsers/SentinelOne.txt). The function usually takes 10-15 minutes to activate after solution installation/update.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the SentinelOne API**\n\n Follow the instructions to obtain the credentials.\n\n1. Log in to the SentinelOne Management Console with Admin user credentials.\n2. In the Management Console, click **Settings**.\n3. In the **SETTINGS** view, click **USERS**\n4. Click **New User**.\n5. Enter the information for the new console user.\n5. In Role, select **Admin**.\n6. Click **SAVE**\n7. Save credentials of the new user for using in the data connector.""}, {""title"": """", ""description"": ""**NOTE :-** Admin access can be delegated using custom roles. Please review SentinelOne [documentation](https://www.sentinelone.com/blog/feature-spotlight-fully-custom-role-based-access-control/) to learn more about custom RBAC.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the SentinelOne data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the SentinelOne Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-SentinelOneAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SentinelOneAPIToken**, **SentinelOneUrl** `(https://.sentinelone.net)` and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the SentinelOne Reports data connector manually with Azure Functions (Deployment via Visual Studio Code).""}, {""title"": """", ""description"": ""**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SentinelOneAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. SOneXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration.""}, {""title"": """", ""description"": ""**2. Configure the Function App**\n\n 1. In the Function App, select the Function App Name and select **Configuration**.\n\n 2. In the **Application settings** tab, select ** New application setting**.\n\n 3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\t SentinelOneAPIToken\n\t\t SentinelOneUrl\n\t\t WorkspaceID\n\t\t WorkspaceKey\n\t\t logAnalyticsUri (optional)\n\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n\n 4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**SentinelOneAPIToken** is required. See the documentation to learn more about API on the `https://.sentinelone.net/api-doc/overview`.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Data%20Connectors/SentinelOne_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","SentinelOne","true","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sentinelone-via-codeless-connector-framework" "SentinelOneCCP","Microsoft","SentinelOne (via Codeless Connector Framework)","The [SentinelOne](https://usea1-nessat.sentinelone.net/api-doc/overview) data connector allows ingesting logs from the SentinelOne API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform. It uses the SentinelOne API to fetch logs and it supports DCR-based [ingestion time transformations](https://docs.microsoft.com/azure/azure-monitor/logs/custom-logs-overview) that parses the received security data into a custom table so that queries don't need to parse it again, thus resulting in better performance.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the SentinelOne API \n Follow the instructions to obtain the credentials. You can also follow the [guide](https://usea1-nessat.sentinelone.net/docs/en/how-to-automate-api-token-generation.html#how-to-automate-api-token-generation) to generate API key.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. Retrieve SentinelOne Management URL\n 1.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 1.2. In the [**Management Console**] copy the URL link above without the URL path.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Retrieve API Token\n 2.1. Log in to the SentinelOne [**Management Console**] with Admin user credentials\n 2.2. In the [**Management Console**], click [**Settings**]\n 2.3. In [**Settings**] view click on [**USERS**].\n 2.4. In the [**USERS**] Page click on [**Service Users**] -> [**Actions**] -> [**Create new service user**].\n 2.5. Choose [**Expiration date**] and [**scope**] (by site) and click on [**Create User**].\n 2.6. Once the [**Service User**] is created copy the [**API Token**] from page and press [**Save**]""}}, {""parameters"": {""label"": ""SentinelOne Management URL"", ""placeholder"": ""https://example.sentinelone.net/"", ""type"": ""text"", ""name"": ""managementUrl""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""API Token"", ""placeholder"": ""API Token"", ""type"": ""securestring"", ""name"": ""apitoken""}, ""type"": ""Textbox""}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Data%20Connectors/SentinelOne_ccp/connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SentinelOne","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Data%20Connectors/SentinelOne_ccp/DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Data%20Connectors/SentinelOne_ccp/PollerConfig.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sentinelone-via-codeless-connector-framework" @@ -505,18 +513,20 @@ "SlackAudit","Slack","Slack","The [Slack](https://slack.com) data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more. This data connector uses Microsoft Sentinel native polling capability.","[{""title"": ""Connect Slack to Microsoft Sentinel"", ""description"": ""Enable Slack audit Logs."", ""instructions"": [{""parameters"": {""enable"": ""true""}, ""type"": ""APIKey""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)"", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Slack API credentials"", ""description"": ""**SlackAPIBearerToken** is required for REST API. [See the documentation to learn more about API](https://api.slack.com/web#authentication). Check all [requirements and follow the instructions](https://api.slack.com/web#authentication) for obtaining credentials.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Data%20Connectors/SlackNativePollerConnector/azuredeploy_Slack_native_poller_connector.json","","CCF","Has pollingConfig","","","","","true","SlackAudit","false","","false","","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Data%20Connectors/SlackAuditLog_CCP/SlackAuditLog_PollingConfig.json","APIKey;Paging","","","true","" "SlackAuditAPI","Slack","[DEPRECATED] Slack Audit","The [Slack](https://slack.com) Audit data connector provides the capability to ingest [Slack Audit Records](https://api.slack.com/admins/audit-logs) events into Microsoft Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs#the_audit_event) for more information. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Slack REST API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-SlackAuditAPI-parser) to create the Kusto functions alias, **SlackAudit**""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Slack API**\n\n [Follow the instructions](https://api.slack.com/web#authentication) to obtain the credentials. \n""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Slack Audit data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Slack Audit data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SlackAuditAPI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **SlackAPIBearerToken** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Slack Audit data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the [Azure Function App](https://aka.ms/sentinel-SlackAuditAPI-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSlackAPIBearerToken\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**SlackAPIBearerToken** is required for REST API. [See the documentation to learn more about API](https://api.slack.com/web#authentication). Check all [requirements and follow the instructions](https://api.slack.com/web#authentication) for obtaining credentials.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Data%20Connectors/SlackAudit_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","SlackAudit","true","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "SlackAuditLogsCCPDefinition","Microsoft","SlackAudit (via Codeless Connector Framework)","The SlackAudit data connector provides the capability to ingest [Slack Audit logs](https://api.slack.com/admins/audit-logs) into Microsoft Sentinel through the REST API. Refer to [API documentation](https://api.slack.com/admins/audit-logs-call) for more information.","[{""description"": ""To ingest data from SlackAudit to Microsoft Sentinel, you have to click on Add Domain button below then you get a pop up to fill the details, provide the required information and click on Connect. You can see the usernames, actions connected in the grid.\n>"", ""instructions"": [{""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""UserName"", ""columnValue"": ""properties.addOnAttributes.UserName""}, {""columnName"": ""Actions"", ""columnValue"": ""properties.addOnAttributes.Actions""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add domain"", ""title"": ""Add domain"", ""subtitle"": ""Add domain"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""UserName"", ""placeholder"": ""Enter your User Name"", ""name"": ""UserName"", ""type"": ""text"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SlackAudit API Key"", ""placeholder"": ""Enter your API KEY"", ""name"": ""apiKey"", ""type"": ""password"", ""required"": true}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""SlackAudit Action Type"", ""placeholder"": ""Enter the Action Type"", ""name"": ""action"", ""type"": ""string"", ""required"": true}}]}]}}], ""title"": ""Connect SlackAudit to Microsoft Sentinel\n\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}], ""customs"": [{""name"": ""UserName, SlackAudit API Key & Action Type"", ""description"": ""To Generate the Access Token, create a new application in Slack, then add necessary scopes and configure the redirect URL. For detailed instructions on generating the access token, user name and action name limit, refer the [link](https://github.com/v-gsrihitha/v-gsrihitha/blob/main/SlackAudit/Readme.md).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Data%20Connectors/SlackAuditLog_CCP/SlackAuditLog_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","SlackAudit","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Data%20Connectors/SlackAuditLog_CCP/SlackAuditLog_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Data%20Connectors/SlackAuditLog_CCP/SlackAuditLog_PollingConfig.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#slackaudit-via-codeless-connector-framework" +"SlashNextFunctionApp","SlashNext","SlashNext Function App","The SlashNext function app utilizes python to perform the analysis of the raw logs and returns URLs present in the logs.","[{""title"": ""Custom Deployment Using Azure Resource Manager (ARM) Template"", ""description"": ""Follow these steps to perform custom deployment of the SlashNext function app using ARM template:\n\n1. Click this [link](https://portal.azure.com/#create/Microsoft.Template) to open the Microsoft Azure Portal for custom deployment.\n2. Under the **Select a template** tab in the **Custom deployment** section, click **Build your own template in the editor**.\n3. Copy the contents of the **azuredeploy.json ARM template file** from this [GitHub repository](https://github.com/MuhammadAli-snx/Azure-Sentinel/blob/master/Solutions/SlashNext/FunctionApp/azuredeploy.json) and paste them into the **Edit template** section.\n4. Click the **Save** button.\n5. Select the preferred **Subscription**, **Resource Group**, and **Location**.\n6. Click **Create** to deploy.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.Storage/storageAccounts"", ""permissionsDisplayText"": ""read, write, and delete permissions on the storage account are required."", ""providerDisplayName"": ""Storage Account"", ""scope"": ""Storage Account"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Microsoft.Web/serverfarms permissions"", ""description"": ""Read and write permissions to Azure App Service Plan are required to create and manage the App Service Plan. [See the documentation to learn more about App Service Plans](https://learn.microsoft.com/azure/app-service/overview-hosting-plans).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlashNext/DataConnectors/SlashNext_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","AzureDiagnostics.Resource == ""SlashnextFunctionApp"" | AzureMetrics.MetricName == ""FunctionExecutionCount""","false","SlashNext","false","","false","","","","","","","" "SnowflakeDataConnector","Snowflake","[DEPRECATED] Snowflake","The Snowflake data connector provides the capability to ingest Snowflake [login logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history.html) and [query logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history.html) into Microsoft Sentinel using the Snowflake Python Connector. Refer to [Snowflake documentation](https://docs.snowflake.com/en/user-guide/python-connector.html) for more information.

NOTE: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the deprecated HTTP Data Collector API.

","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Snowflake**](https://aka.ms/sentinel-SnowflakeDataConnector-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Creating user in Snowflake**\n\nTo query data from Snowflake you need a user that is assigned to a role with sufficient privileges and a virtual warehouse cluster. The initial size of this cluster will be set to small but if it is insufficient, the cluster size can be increased as necessary.\n\n1. Enter the Snowflake console.\n2. Switch role to SECURITYADMIN and [create a new role](https://docs.snowflake.com/en/sql-reference/sql/create-role.html):\n```\nUSE ROLE SECURITYADMIN;\nCREATE OR REPLACE ROLE EXAMPLE_ROLE_NAME;```\n3. Switch role to SYSADMIN and [create warehouse](https://docs.snowflake.com/en/sql-reference/sql/create-warehouse.html) and [grand access](https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html) to it:\n```\nUSE ROLE SYSADMIN;\nCREATE OR REPLACE WAREHOUSE EXAMPLE_WAREHOUSE_NAME\n WAREHOUSE_SIZE = 'SMALL' \n AUTO_SUSPEND = 5\n AUTO_RESUME = true\n INITIALLY_SUSPENDED = true;\nGRANT USAGE, OPERATE ON WAREHOUSE EXAMPLE_WAREHOUSE_NAME TO ROLE EXAMPLE_ROLE_NAME;```\n4. Switch role to SECURITYADMIN and [create a new user](https://docs.snowflake.com/en/sql-reference/sql/create-user.html):\n```\nUSE ROLE SECURITYADMIN;\nCREATE OR REPLACE USER EXAMPLE_USER_NAME\n PASSWORD = 'example_password'\n DEFAULT_ROLE = EXAMPLE_ROLE_NAME\n DEFAULT_WAREHOUSE = EXAMPLE_WAREHOUSE_NAME\n;```\n5. Switch role to ACCOUNTADMIN and [grant access to snowflake database](https://docs.snowflake.com/en/sql-reference/account-usage.html#enabling-account-usage-for-other-roles) for role.\n```\nUSE ROLE ACCOUNTADMIN;\nGRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE EXAMPLE_ROLE_NAME;```\n6. Switch role to SECURITYADMIN and [assign role](https://docs.snowflake.com/en/sql-reference/sql/grant-role.html) to user:\n```\nUSE ROLE SECURITYADMIN;\nGRANT ROLE EXAMPLE_ROLE_NAME TO USER EXAMPLE_USER_NAME;```\n\n>**IMPORTANT:** Save user and API password created during this step as they will be used during deployment step.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as Snowflake credentials, readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SnowflakeDataConnector-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Snowflake Account Identifier**, **Snowflake User**, **Snowflake Password**, **Microsoft Sentinel Workspace Id**, **Microsoft Sentinel Shared Key**\n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**.\n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""1. Download the [Azure Function App](https://aka.ms/sentinel-SnowflakeDataConnector-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration. \n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **+ New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSNOWFLAKE_ACCOUNT\n\t\tSNOWFLAKE_USER\n\t\tSNOWFLAKE_PASSWORD\n\t\tWORKSPACE_ID\n\t\tSHARED_KEY\n\t\tlogAnalyticsUri (optional)\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://WORKSPACE_ID.ods.opinsights.azure.us`. \n4. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Snowflake Credentials"", ""description"": ""**Snowflake Account Identifier**, **Snowflake User** and **Snowflake Password** are required for connection. See the documentation to learn more about [Snowflake Account Identifier](https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#). Instructions on how to create user for this connector you can find below.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Data%20Connectors/Snowflake_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","true","Snowflake","true","","false","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#snowflake-via-codeless-connector-framework" "SnowflakeLogsCCPDefinition","Microsoft","Snowflake (via Codeless Connector Framework)","The Snowflake data connector provides the capability to ingest Snowflake [Login History Logs](https://docs.snowflake.com/en/sql-reference/account-usage/login_history), [Query History Logs](https://docs.snowflake.com/en/sql-reference/account-usage/query_history), [User-Grant Logs](https://docs.snowflake.com/en/sql-reference/account-usage/grants_to_users), [Role-Grant Logs](https://docs.snowflake.com/en/sql-reference/account-usage/grants_to_roles), [Load History Logs](https://docs.snowflake.com/en/sql-reference/account-usage/load_history), [Materialized View Refresh History Logs](https://docs.snowflake.com/en/sql-reference/account-usage/materialized_view_refresh_history), [Roles Logs](https://docs.snowflake.com/en/sql-reference/account-usage/roles), [Tables Logs](https://docs.snowflake.com/en/sql-reference/account-usage/tables), [Table Storage Metrics Logs](https://docs.snowflake.com/en/sql-reference/account-usage/table_storage_metrics), [Users Logs](https://docs.snowflake.com/en/sql-reference/account-usage/users) into Microsoft Sentinel using the Snowflake SQL API. Refer to [Snowflake SQL API documentation](https://docs.snowflake.com/en/developer-guide/sql-api/reference) for more information.","[{""title"": ""Connect Snowflake to Microsoft Sentinel"", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": "">**NOTE:** To ensure data is presented in separate columns for each field, execute the parser using the **Snowflake()** function""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""To gather data from Snowflake, you need to provide the following resources""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 1. Account Identifier \n To gather data from Snowflake, you'll need Snowflake Account Identifier.""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""#### 2. Programmatic Access Token \n To gather data from Snowflake, you'll need the Snowflake Programmatic Access Token""}}, {""type"": ""Markdown"", ""parameters"": {""content"": ""For detailed instructions on retrieving the Account Identifier and Programmatic Access Token, please refer to the [Connector Tutorial](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Data%20Connectors/Readme.md).""}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnName"": ""Account-Identifier"", ""columnValue"": ""properties.addOnAttributes.AccountId""}, {""columnName"": ""Table Name"", ""columnValue"": ""properties.dataType""}], ""menuItems"": [""DeleteConnector""]}}, {""type"": ""ContextPane"", ""parameters"": {""isPrimary"": true, ""label"": ""Add Account"", ""title"": ""Add Account"", ""subtitle"": ""Add Account"", ""contextPaneType"": ""DataConnectorsContextPane"", ""instructionSteps"": [{""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Snowflake Account Identifier"", ""placeholder"": ""Enter Snowflake Account Identifier"", ""type"": ""text"", ""name"": ""accountId"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Snowflake PAT"", ""placeholder"": ""Enter Snowflake PAT"", ""type"": ""password"", ""name"": ""apikey"", ""validations"": {""required"": true}}}]}]}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Data%20Connectors/SnowflakeLogs_ccp/SnowflakeLogs_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Snowflake","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Data%20Connectors/SnowflakeLogs_ccp/SnowflakeLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Snowflake/Data%20Connectors/SnowflakeLogs_ccp/SnowflakeLogs_PollingConfig.json","APIKey;Paging;POST","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#snowflake-via-codeless-connector-framework" "SonicWallFirewall","SonicWall","[Deprecated] SonicWall Firewall via Legacy Agent","Common Event Format (CEF) is an industry standard format on top of Syslog messages, used by SonicWall to allow event interoperability among different platforms. By connecting your CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""title"": ""1. Linux Syslog agent configuration"", ""description"": ""Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace"", ""innerSteps"": [{""title"": ""1.1 Select or create a Linux machine"", ""description"": ""Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds.""}, {""title"": ""1.2 Install the CEF collector on the Linux machine"", ""description"": ""Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": ""Run the following command to install and apply the CEF collector:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}""}, ""type"": ""CopyableLabel""}]}]}, {""title"": ""2. Forward SonicWall Firewall Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Set your SonicWall Firewall to send Syslog messages in CEF format to the proxy machine. Make sure you send the logs to port 514 TCP on the machine's IP address.\n\n Follow Instructions . Then Make sure you select local use 4 as the facility. Then select ArcSight as the Syslog format.""}, {""title"": ""3. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}""}, ""type"": ""CopyableLabel""}]}, {""title"": ""4. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall%20Firewall/Data%20Connectors/SonicwallFirewall.json","","AMA","Title mentions Legacy Agent","SonicWall","","{""CommonSecurityLog"": {""vendor"": [""SonicWall""], ""product"": []}}","CommonSecurityLog.AdditionalExtensions contains ""fw_action="" | CommonSecurityLog.DeviceVendor == ""SonicWall""","true","SonicWall Firewall","true","","true","","","","","","","" "SonicWallFirewallAma","SonicWall","[Deprecated] SonicWall Firewall via AMA","Common Event Format (CEF) is an industry standard format on top of Syslog messages, used by SonicWall to allow event interoperability among different platforms. By connecting your CEF logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.","[{""instructions"": [{""parameters"": {""title"": ""1. Kindly follow the steps to configure the data connector"", ""instructionSteps"": [{""title"": ""Step A. Configure the Common Event Format (CEF) via AMA data connector"", ""description"": ""_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine""}, {""title"": ""Step B. Forward SonicWall Firewall Common Event Format (CEF) logs to Syslog agent"", ""description"": ""Set your SonicWall Firewall to send Syslog messages in CEF format to the proxy machine. Make sure you send the logs to port 514 TCP on the machine's IP address.\n\n Follow Instructions . Then Make sure you select local use 4 as the facility. Then select ArcSight as the Syslog format.""}, {""title"": ""Step C. Validate connection"", ""description"": ""Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine"", ""instructions"": [{""parameters"": {""label"": ""Run the following command to validate your connectivity:"", ""value"": ""sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef""}, ""type"": ""CopyableLabel""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Secure your machine "", ""description"": ""Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}, {""description"": ""Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonicWall%20Firewall/Data%20Connectors/template_SonicwallFirewallAMA.json","","AMA","Title/ID indicates AMA","SonicWall","","{""CommonSecurityLog"": {""vendor"": [""SonicWall""], ""product"": []}}","CommonSecurityLog.AdditionalExtensions contains ""fw_action="" | CommonSecurityLog.DeviceVendor =~ ""SonicWall""","true","SonicWall Firewall","true","","true","","","","","","","" "SonraiDataConnector","Sonrai","Sonrai Data Connector","Use this data connector to integrate with Sonrai Security and get Sonrai tickets sent directly to Microsoft Sentinel.","[{""title"": ""Sonrai Security Data Connector"", ""description"": ""1. Navigate to Sonrai Security dashboard.\n2. On the bottom left panel, click on integrations.\n3. Select Microsoft Sentinel from the list of available Integrations.\n4. Fill in the form using the information provided below."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Data%20Connectors/Connector_REST_API_Sonrai.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","SonraiSecurity","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sonrai-data-connector" "SonraiSecurityPush","Sonrai","Sonrai Security Push Connector","The [Sonrai Security](https://sonraisecurity.com) connector provides the capability to ingest Sonrai ticket data into Microsoft Sentinel. Use this data connector to integrate with Sonrai Security and get Sonrai tickets sent directly to Microsoft Sentinel for threat detection and investigation.","[{""title"": ""1. Create ARM Resources and Provide the Required Permissions"", ""description"": ""This connector reads data from the tables that Sonrai Security uses in a Microsoft Analytics Workspace. When [data forwarding](https://sonraisecurity.com/docs) is enabled in Sonrai Security, raw ticket data is sent to the Microsoft Sentinel Ingestion API."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \""Deploy\"" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.""}}, {""parameters"": {""label"": ""Sonrai Security connector resources"", ""applicationDisplayName"": ""Sonrai Security Connector Application""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Push your logs into the workspace"", ""description"": ""Use the following parameters to configure Sonrai Security to send the logs to the workspace."", ""instructions"": [{""parameters"": {""label"": ""Tenant ID (Directory ID)"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the App Registration Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the App Registration Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint Uri"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the Data Collection Endpoint Uri""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the Data Collection Rule Immutable ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Tickets Stream Name"", ""value"": ""Custom-SonraiSecurityTickets""}, ""type"": ""CopyableLabel""}]}, {""title"": ""3. Configure Sonrai Security"", ""description"": ""Configure the Sonrai Security platform with the Azure connection details to enable data forwarding to Microsoft Sentinel."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configure Microsoft Sentinel Integration in Sonrai Security\n\n1. Navigate to the Sonrai Security dashboard.\n2. On the bottom left panel, click on **Integrations**.\n3. Select **Microsoft Sentinel** from the list of available integrations.\n4. Fill in the form using the information provided in Step 2 above:\n - **Tenant ID**\n - **Application (client) ID**\n - **Client Secret Value**\n - **Data Collection Endpoint URL**\n - **DCR Immutable ID**\n - **Stream Name**""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Data%20Connectors/SonraiSecurity_ccp/SonraiSecurity_Definition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","SonraiSecurity","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Data%20Connectors/SonraiSecurity_ccp/SonraiSecurity_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SonraiSecurity/Data%20Connectors/SonraiSecurity_ccp/SonraiSecurity_poller.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","" -"SophosCloudOptix","Sophos","Sophos Cloud Optix","The [Sophos Cloud Optix](https://www.sophos.com/products/cloud-optix.aspx) connector allows you to easily connect your Sophos Cloud Optix logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's cloud security and compliance posture and improves your cloud security operation capabilities.","[{""title"": ""1. Get the Workspace ID and the Primary Key"", ""description"": ""Copy the Workspace ID and Primary Key for your workspace.\n"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""2. Configure the Sophos Cloud Optix Integration"", ""description"": ""In Sophos Cloud Optix go to [Settings->Integrations->Microsoft Sentinel](https://optix.sophos.com/#/integrations/sentinel) and enter the Workspace ID and Primary Key copied in Step 1.\n""}, {""title"": ""3. Select Alert Levels"", ""description"": ""In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Microsoft Sentinel.\n""}, {""title"": ""4. Turn on the integration"", ""description"": ""To turn on the integration, select Enable, and then click Save.\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20Cloud%20Optix/Data%20Connectors/Connector_REST_API_SophosCloudOptix.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Sophos Cloud Optix","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" +"SophosCloudOptix","Sophos","Sophos Cloud Optix","The [Sophos Cloud Optix](https://www.sophos.com/products/cloud-optix.aspx) connector allows you to easily connect your Sophos Cloud Optix logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's cloud security and compliance posture and improves your cloud security operation capabilities.","[{""title"": ""1. Get the Workspace ID and the Primary Key"", ""description"": ""Copy the Workspace ID and Primary Key for your workspace.\n"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""2. Configure the Sophos Cloud Optix Integration"", ""description"": ""In Sophos Cloud Optix go to [Settings->Integrations->Microsoft Sentinel](https://optix.sophos.com/#/integrations/sentinel) and enter the Workspace ID and Primary Key copied in Step 1.\n""}, {""title"": ""3. Select Alert Levels"", ""description"": ""In Alert Levels, select which Sophos Cloud Optix alerts you want to send to Microsoft Sentinel.\n""}, {""title"": ""4. Turn on the integration"", ""description"": ""To turn on the integration, select Enable, and then click Save.\n""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20Cloud%20Optix/Data%20Connectors/Connector_REST_API_SophosCloudOptix.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Sophos Cloud Optix","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "SophosEP","Sophos","[DEPRECATED] Sophos Endpoint Protection (using Azure Function)","The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/common/concepts/Events.html) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the Sophos Central APIs to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**SophosEPEvent**](https://aka.ms/sentinel-SophosEP-parser) which is deployed with the Microsoft Sentinel Solution.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the Sophos Central API**\n\n Follow the instructions to obtain the credentials.\n\n1. In Sophos Central Admin, go to **Global Settings > API Token Management**.\n2. To create a new token, click **Add token** from the top-right corner of the screen.\n3. Select a **token name** and click **Save**. The **API Token Summary** for this token is displayed.\n4. Click **Copy** to copy your **API Access URL + Headers** from the **API Token Summary** section into your clipboard.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Sophos Endpoint Protection data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following)."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""Use this method for automated deployment of the Sophos Endpoint Protection data connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-SophosEP-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group.\n3. Enter the **Sophos API Access URL and Headers**, **AzureSentinelWorkspaceId**, **AzureSentinelSharedKey**. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code)."", ""instructions"": [{""parameters"": {""instructionSteps"": [{""title"": ""Step 1 - Deploy a Function App"", ""description"": ""**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-SophosEP-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it.""}, {""title"": ""Step 2 - Configure the Function App"", ""description"": ""1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select **New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSOPHOS_TOKEN\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n5. Once all application settings have been entered, click **Save**.""}]}, ""type"": ""InstructionStepsGroup""}]}]}, ""type"": ""InstructionStepsGroup""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**API token** is required. [See the documentation to learn more about API token](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ep_ApiTokenManagement.html)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20Endpoint%20Protection/Data%20Connectors/SophosEP_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Sophos Endpoint Protection","true","","true","","","","HTTP Data Collector API","Azure Function code uses SharedKey/HTTP Data Collector API","true","" "SophosEndpointProtectionCCPDefinition","Microsoft","Sophos Endpoint Protection (via Codeless Connector Platform)","The [Sophos Endpoint Protection](https://www.sophos.com/en-us/products/endpoint-antivirus.aspx) data connector provides the capability to ingest [Sophos events](https://developer.sophos.com/docs/siem-v1/1/routes/events/get) and [Sophos alerts](https://developer.sophos.com/docs/siem-v1/1/routes/alerts/get) into Microsoft Sentinel. Refer to [Sophos Central Admin documentation](https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/Logs.html) for more information.","[{""description"": ""Follow [Sophos instructions](https://developer.sophos.com/getting-started-tenant) to create a service principal with access to the Sophos API. It will need the Service Principal ReadOnly role.\n Through those instructions, you should get the Client ID, Client Secret, Tenant ID and data region.\n Fill the form bellow with that information."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Sophos Tenant ID"", ""placeholder"": ""Sophos Tenant ID"", ""type"": ""text"", ""name"": ""sophosTenantId""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Sophos Tenant Data Region"", ""placeholder"": ""eu01, eu02, us01, us02 or us03"", ""type"": ""text"", ""name"": ""sophosRegion""}}, {""type"": ""OAuthForm"", ""parameters"": {""clientIdLabel"": ""Client ID"", ""clientSecretLabel"": ""Client Secret"", ""connectButtonLabel"": ""Connect"", ""disconnectButtonLabel"": ""Disconnect""}}, {""type"": ""DataConnectorsGrid"", ""parameters"": {""mapping"": [{""columnValue"": ""name"", ""columnName"": ""Name""}, {""columnValue"": ""id"", ""columnName"": ""ID""}]}}], ""title"": ""Connect to Sophos Endpoint Protection API to start collecting event and alert logs in Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Sophos Endpoint Protection API access"", ""description"": ""Access to the Sophos Endpoint Protection API through a service principal is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20Endpoint%20Protection/Data%20Connectors/SophosEP_ccp/SophosEP_DataConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Sophos Endpoint Protection","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20Endpoint%20Protection/Data%20Connectors/SophosEP_ccp/SophosEP_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20Endpoint%20Protection/Data%20Connectors/SophosEP_ccp/SophosEP_PollingConfig.json","OAuth2;Paging","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#sophos-endpoint-protection-via-codeless-connector-platform" "SophosXGFirewall","Sophos","[Deprecated] Sophos XG Firewall","The [Sophos XG Firewall](https://www.sophos.com/products/next-gen-firewall.aspx) allows you to easily connect your Sophos XG Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigations. Integrating Sophos XG Firewall with Microsoft Sentinel provides more visibility into your organization's firewall traffic and will enhance security monitoring capabilities.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Sophos XG Firewall and load the function code or click [here](https://aka.ms/sentinel-SophosXG-parser), on the second line of the query, enter the hostname(s) of your Sophos XG Firewall device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure and connect the Sophos XG Firewall"", ""description"": ""[Follow these instructions](https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/index.html) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""Sophos XG Firewall"", ""description"": ""must be configured to export logs via Syslog""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Sophos%20XG%20Firewall/Data%20Connectors/Connector_Syslog_SophosXGFirewall.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.Facility == ""local0""","true","Sophos XG Firewall","true","","true","","","","","","","" "SquadraTechnologiesSecRMM","Squadra Technologies","Squadra Technologies secRMM","Use the Squadra Technologies secRMM Data Connector to push USB removable storage security event data into Microsoft Sentinel Log Analytics.","[{""title"": """", ""description"": ""Follow the step-by-step instructions provided in the [Squadra Technologies configuration guide for Microsoft Sentinel](https://www.squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.11.0.0/secRMMAzureSentinelAdministratorGuide.pdf)"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Squadra%20Technologies%20SecRmm/Data%20Connectors/SquadraTechnologiesSecRMM.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","","","","","false","Squadra Technologies SecRmm","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "SquidProxy","Squid","[Deprecated] Squid Proxy","The [Squid Proxy](http://www.squid-cache.org/) connector allows you to easily connect your Squid Proxy logs with Microsoft Sentinel. This gives you more insight into your organization's network proxy traffic and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Squid Proxy and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SquidProxy/Parsers/SquidProxy.txt), on the second line of the query, enter the hostname(s) of your SquidProxy device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Squid Proxy server where the logs are generated.\n\n> Logs from Squid Proxy deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the custom log directory to be collected"", ""instructions"": [{""parameters"": {""linkType"": ""OpenCustomLogsSettings""}, ""type"": ""InstallAgent""}]}, {""title"": """", ""description"": ""1. Select the link above to open your workspace advanced settings \n2. From the left pane, select **Data**, select **Custom Logs** and click **Add+**\n3. Click **Browse** to upload a sample of a Squid Proxy log file(e.g. access.log or cache.log). Then, click **Next >**\n4. Select **New line** as the record delimiter and click **Next >**\n5. Select **Windows** or **Linux** and enter the path to Squid Proxy logs. Default paths are: \n - **Windows** directory: `C:\\Squid\\var\\log\\squid\\*.log`\n - **Linux** Directory: `/var/log/squid/*.log` \n6. After entering the path, click the '+' symbol to apply, then click **Next >** \n7. Add **SquidProxy_CL** as the custom log Name and click **Done**""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SquidProxy/Data%20Connectors/Connector_CustomLog_SquidProxy.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","_Computed.MonthText in ""Apr,Aug,Dec,Feb,Jul,Jun,Mar,May,Nov,Oct,Sep""","true","SquidProxy","true","","true","","","","","","true","" +"StealthTalkAnomalousAuth","StealthTalk","StealthTalk Anomalous Authentication","The StealthTalk Anomalous Authentication connector ingests four classes of anomalous user-authentication events from the StealthTalk Enterprise messenger into a custom Log Analytics table via the Logs Ingestion API.

Events:
- **OffHoursLogin** - login outside the user's configured working hours.
- **NewDeviceLogin** - login from a previously-unseen device.
- **GeoAnomalyLogin** - login from a country/city that does not match the user's assigned geo zone.
- **MultiFailLogin** - multiple consecutive failed authentication attempts.","[{""title"": ""STEP 1 - Auto-deployed ingestion infrastructure (review only)"", ""description"": ""When the Solution is installed via the Microsoft Sentinel Content Hub, the following resources are deployed automatically into the workspace's resource group:\n\n1. **Custom log table** `StealthTalkAnomalousAuth_CL` (21-field stream).\n2. **Data Collection Endpoint** `StealthTalk-Sentinel-DCE`.\n3. **Data Collection Rule** `StealthTalk-Sentinel-DCR` with `Custom-StealthTalkAnomalousAuth_CL` stream declaration and a one-to-one transform.\n4. **ASIM Authentication 0.1.3 parsers** as workspace saved-search functions: `vimAuthenticationStealthTalk` (filtering) and `ASimAuthenticationStealthTalk` (non-filtering).\n5. **`imAuthentication` extension parser** that registers the StealthTalk source in the workspace ASIM Authentication union (overrides Microsoft's `imAuthentication` saved-search to include the StealthTalk vim parser).\n6. **`ASimDisabledParsers` watchlist** + Microsoft Sentinel onboarding state (idempotent).\n\nNo user action is required at this step beyond installing the Solution. The remaining steps configure StealthTalk to push events into the deployed DCR. Pre-requisite: Microsoft's `FullDeploymentAuthentication.json` ASIM Authentication parser pack must be deployed in the workspace before this Solution is installed.""}, {""title"": ""STEP 2 - Capture the DCE endpoint and DCR Immutable ID"", ""description"": ""In the Azure portal, open the Data Collection Endpoint and Data Collection Rule resources deployed in Step 1:\n\n- From the **Data Collection Endpoint** properties, copy the **Logs Ingestion endpoint URI** (looks like `https://stealthtalk-sentinel-dce-..ingest.monitor.azure.com`).\n- From the **Data Collection Rule** Overview, copy the **Immutable ID** (looks like `dcr-`).\n\nYou will paste both values into the StealthTalk admin console in Step 5.""}, {""title"": ""STEP 3 - Create a Microsoft Entra App Registration for StealthTalk"", ""description"": ""Create a new App Registration in your Microsoft Entra tenant. Generate a client secret (or use a certificate). Note the **Tenant ID**, **App (client) ID** and **Client secret**. StealthTalk uses this service principal to authenticate to the Logs Ingestion API via OAuth.""}, {""title"": ""STEP 4 - Grant the App Registration the Monitoring Metrics Publisher role on the DCR"", ""description"": ""Open the Data Collection Rule deployed in Step 1 -> **Access control (IAM)** -> **+ Add role assignment**.\n\n- Role: **Monitoring Metrics Publisher**\n- Assign access to: **User, group, or service principal**\n- Select the App Registration from Step 3\n\nRBAC role assignments cannot be performed by the Solution install template, so this step is manual.""}, {""title"": ""STEP 5 - Configure StealthTalk to send events"", ""description"": ""In the StealthTalk admin console, configure the Microsoft Sentinel/Log Analytics integration with the values captured in Steps 2 and 3:\n\n- **DCE endpoint** - the Logs Ingestion endpoint URI from Step 2\n- **DCR Immutable ID** - from Step 2\n- **Stream name** - `Custom-StealthTalkAnomalousAuth_CL`\n- **Tenant ID, App (client) ID, Client secret** - from Step 3\n\nSave and trigger a test event. The StealthTalk console reports success/failure of the OAuth handshake and the first event delivery.""}, {""title"": ""STEP 6 - Verify ingestion and ASIM normalisation"", ""description"": ""Run the **Sample queries** above in **Logs**. All must return rows within a few minutes of test events:\n\n- Raw `StealthTalkAnomalousAuth_CL` table populated.\n- ASIM union view via `imAuthentication() | where EventVendor == 'StealthTalk'` returns the same events normalised to the ASIM Authentication schema.\n\nIf the raw table is empty: verify the StealthTalk console reports successful OAuth and event delivery, and confirm the App Registration has the **Monitoring Metrics Publisher** role on the DCR (Step 4). If the raw table has rows but ASIM union is empty: re-check that Microsoft's `FullDeploymentAuthentication.json` parser pack is deployed.""}, {""title"": ""STEP 7 - Enable analytic rules, hunting queries, workbook, and playbook"", ""description"": ""In the Microsoft Sentinel **Content hub**, open the **StealthTalk Anomalous Authentication** Solution and click **Manage**. Enable the four Analytic Rule templates, the three Hunting Query templates, the Workbook, and the Microsoft Teams Playbook. For the Playbook, after deployment, grant its system-assigned managed identity the **Microsoft Sentinel Responder** role on the workspace, and grant the **Azure Security Insights** service principal the **Microsoft Sentinel Automation Contributor** role on the playbook's resource group. Then create an **Automation Rule** in Microsoft Sentinel that runs the playbook on incidents from the four StealthTalk analytic rules.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""StealthTalk Enterprise instance"", ""description"": ""A deployed StealthTalk Enterprise tenant with admin access to configure the outgoing webhook to the Log Analytics workspace.""}, {""name"": ""Microsoft Entra App Registration"", ""description"": ""A service principal that StealthTalk uses to authenticate to the Logs Ingestion API. Must have the **Monitoring Metrics Publisher** role on the deployed Data Collection Rule.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Data%20Connectors/StealthTalkConnector.json","","REST Pull API","Promoted from Unknown (Custom Log): Connector definition requires workspace key (SharedKey pattern)","StealthTalk","","","","false","StealthTalk","false","","false","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","","" "Stealthwatch","Cisco","[Deprecated] Cisco Secure Cloud Analytics","The [Cisco Secure Cloud Analytics](https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html) data connector provides the capability to ingest [Cisco Secure Cloud Analytics events](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_4_2_Security_Events_and_Alarm_Categories_DV_2_1.pdf) into Microsoft Sentinel. Refer to [Cisco Secure Cloud Analytics documentation](https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_3.pdf) for more information.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**StealthwatchEvent**](https://aka.ms/sentinel-stealthwatch-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using Cisco Secure Cloud Analytics version 7.3.2"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Server where the Cisco Secure Cloud Analytics logs are forwarded.\n\n> Logs from Cisco Secure Cloud Analytics Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure Cisco Secure Cloud Analytics event forwarding"", ""description"": ""Follow the configuration steps below to get Cisco Secure Cloud Analytics logs into Microsoft Sentinel.\n1. Log in to the Stealthwatch Management Console (SMC) as an administrator.\n2. In the menu bar, click **Configuration** **>** **Response Management**.\n3. From the **Actions** section in the **Response Management** menu, click **Add > Syslog Message**.\n4. In the Add Syslog Message Action window, configure parameters.\n5. Enter the following custom format:\n|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}\n\n6. Select the custom format from the list and click **OK**\n7. Click **Response Management > Rules**.\n8. Click **Add** and select **Host Alarm**.\n9. Provide a rule name in the **Name** field.\n10. Create rules by selecting values from the Type and Options menus. To add more rules, click the ellipsis icon. For a Host Alarm, combine as many possible types in a statement as possible.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Secure%20Cloud%20Analytics/Data%20Connectors/Cisco_Stealthwatch_syslog.json","","AMA","Syslog with agent installation (no AMA)","","","","Syslog.SyslogMessage has ""Stealthwatch""","true","Cisco Secure Cloud Analytics","true","","true","","","","","","","" "StriderShieldCCF","NVISO","Strider Shield","The Strider Shield connector allows the user to ingest Strider Shield EmailAddresses, EmailDomains, RiskSignals, RiskSignalsDefinitions and Terms events into Microsoft Sentinel.","[{""title"": ""STEP 1 - Use an Authentication Strider Shield API endpoint"", ""description"": ""Follow the Strider Shield documentation for guidance on this step.""}, {""title"": ""STEP 2 - Choose the correct base URL"", ""description"": ""There are multiple Strider Shield servers which might host your events. The correct server depends on your license and region.Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/').""}, {""title"": ""STEP 3 - Enter your Strider Shield Details"", ""description"": ""Enter the Strider Shield Authentication API endpoint, Base URL, Client ID & Client Secret below:"", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Authentication API endpoint"", ""placeholder"": ""Enter your Authentication API endpoint"", ""type"": ""text"", ""name"": ""AuthApiEndpoint""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Base Url"", ""placeholder"": ""Enter your Base Url"", ""type"": ""text"", ""name"": ""BaseUrl""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client ID"", ""placeholder"": ""Enter your Client ID"", ""type"": ""text"", ""name"": ""ClientID""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Client Secret"", ""placeholder"": ""Enter your Client Secret"", ""type"": ""password"", ""name"": ""ClientSecret""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect"", ""name"": ""connectionToggle""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Strider Shield API token"", ""description"": ""A Strider Shield API Token is required. See the Strider Shield documentation on how to create an API token.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Strider%20Shield/Data%20Connectors/StriderShieldCCF/StriderShield_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Strider Shield","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Strider%20Shield/Data%20Connectors/StriderShieldCCF/StriderShield_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Strider%20Shield/Data%20Connectors/StriderShieldCCF/StriderShield_PollingConfig.json","OAuth2","","","","" "StyxViewEndpointConnectorDefinition","Styx Intelligence","StyxView Alerts (via Codeless Connector Platform)","The [StyxView Alerts](https://styxintel.com/) data connector enables seamless integration between the StyxView Alerts platform and Microsoft Sentinel. This connector ingests alert data from the StyxView Alerts API, allowing organizations to centralize and correlate actionable threat intelligence directly within their Microsoft Sentinel workspace.","[{""description"": ""Contact Styx Intelligence Support (support.team@styxintel.com) to get access to an API key."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""API Token"", ""placeholder"": ""API Token"", ""type"": ""password"", ""name"": ""APIKey""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}], ""title"": ""Connect to StyxView Alerts API to start collecting alert logs in Microsoft Sentinel""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""StyxView Alert API access"", ""description"": ""Access to the StyxView Alerts API through an API key is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Styx%20Intelligence/Data%20Connectors/Alerts/StyxView%20Alerts_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Styx Intelligence","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Styx%20Intelligence/Data%20Connectors/Alerts/StyxView%20Alerts_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Styx%20Intelligence/Data%20Connectors/Alerts/StyxView%20Alerts_PollingConfig.json","APIKey;Paging","","","","" @@ -554,7 +564,9 @@ "TropicoEventsDefinition","Tropico Security","Tropico Security - Events","Ingest security events from Tropico Security Platform in OCSF Security Finding format.","[{""title"": ""Connect Tropico Security Platform"", ""description"": ""Enter your read-only API key from Tropico Settings."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""trop_xxxx..."", ""type"": ""password"", ""name"": ""apikey""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions required"", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tropico/Data%20Connectors/TropicoEvents_CCF/TropicoEvents_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Tropico","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tropico/Data%20Connectors/TropicoEvents_CCF/TropicoEvents_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tropico/Data%20Connectors/TropicoEvents_CCF/TropicoEvents_PollerConfig.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#tropico-security---events" "TropicoIncidentsDefinition","Tropico Security","Tropico Security - Incidents","Ingest attacker session incidents from Tropico Security Platform.","[{""title"": ""Connect Tropico Security Platform"", ""description"": ""Enter your read-only API key from Tropico Settings."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""API Key"", ""placeholder"": ""trop_xxxx..."", ""type"": ""password"", ""name"": ""apikey""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions required"", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tropico/Data%20Connectors/TropicoIncidents_CCF/TropicoIncidents_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Tropico","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tropico/Data%20Connectors/TropicoIncidents_CCF/TropicoIncidents_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tropico/Data%20Connectors/TropicoIncidents_CCF/TropicoIncidents_PollerConfig.json","APIKey;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#tropico-security---incidents" "UbiquitiUnifi","Ubiquiti","[Deprecated] Ubiquiti UniFi","The [Ubiquiti UniFi](https://www.ui.com/) data connector provides the capability to ingest [Ubiquiti UniFi firewall, dns, ssh, AP events](https://help.ui.com/hc/en-us/articles/204959834-UniFi-How-to-View-Log-Files) into Microsoft Sentinel.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**UbiquitiAuditEvent**](https://aka.ms/sentinel-UbiquitiUnifi-parser) which is deployed with the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**NOTE:** This data connector has been developed using Enterprise System Controller Release Version: 5.6.2 (Syslog)"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux or Windows"", ""description"": ""Install the agent on the Server to which the Ubiquiti logs are forwarder from Ubiquiti device (e.g.remote syslog server)\n\n> Logs from Ubiquiti Server deployed on Linux or Windows servers are collected by **Linux** or **Windows** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the Linux agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""instructions"": [{""parameters"": {""title"": ""Choose where to install the Windows agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Windows Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Windows Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Follow the configuration steps below to get Ubiquiti logs into Microsoft Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n1. Configure log forwarding on your Ubiquiti controller: \n\n\t i. Go to Settings > System Setting > Controller Configuration > Remote Logging and enable the Syslog and Debugging (optional) logs (Refer to [User Guide](https://dl.ui.com/guides/UniFi/UniFi_Controller_V5_UG.pdf) for detailed instructions).\n2. Download config file [Ubiquiti.conf](https://aka.ms/sentinel-UbiquitiUnifi-conf).\n3. Login to the server where you have installed Azure Log Analytics agent.\n4. Copy Ubiquiti.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder.\n5. Edit Ubiquiti.conf as follows:\n\n\t i. specify port which you have set your Ubiquiti device to forward logs to (line 4)\n\n\t ii. replace **workspace_id** with real value of your Workspace ID (lines 14,15,16,19)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Ubiquiti%20UniFi/Data%20Connectors/Connector_Ubiquiti_agent.json","","AMA","References omsagent","","","","","true","Ubiquiti UniFi","true","","true","","","","","","","" +"UniFiSiteManagerConnector","Community","UniFi Site Manager (CCF)","Connects to the [UniFi Site Manager API](https://developer.ui.com/site-manager-api/gettingstarted) and ingests four data types: Sites, Devices, Hosts, and ISP Metrics.

**Prerequisites:**
1. Sign in to [UniFi Site Manager](https://unifi.ui.com)
2. Navigate to **API** in the left navigation
3. Click **Create API Key**
4. Copy and securely store the generated key (shown only once)","[{""title"": ""1. Obtain a UniFi Site Manager API Key"", ""description"": ""1. Sign in to [UniFi Site Manager](https://unifi.ui.com)\n2. Click **API** in the left navigation\n3. Click **Create API Key**\n4. Copy the generated key immediately - it will only be displayed once""}, {""title"": ""2. Connect"", ""description"": ""Enter your API key below. This single key authorizes polling for all four data types (Sites, Devices, Hosts, ISP Metrics)."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""UniFi Site Manager API Key"", ""placeholder"": ""Enter your API key from unifi.ui.com"", ""type"": ""password"", ""name"": ""apiKey""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""disconnectLabel"": ""Disconnect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions required"", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""UniFi Site Manager API Key"", ""description"": ""A read-only API key from [unifi.ui.com](https://unifi.ui.com) with access to your UniFi deployment.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi%20Site%20Manager%20%28CCF%29/Data%20Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","UniFi Site Manager (CCF)","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi%20Site%20Manager%20%28CCF%29/Data%20Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/UniFi%20Site%20Manager%20%28CCF%29/Data%20Connectors/UnifiSiteManagerLogs_ccf/UnifiSiteManager_PollerConfig.json","APIKey;Paging","","","","" "UpwindLogsLoader","Upwind","Upwind Logs Loader (Ingestion API)","The **Upwind Logs Loader** data connector ingests compute platform assets from the [Upwind](https://upwind.io) cloud security platform into a Microsoft Sentinel custom table using an Azure Function and the [Azure Monitor Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/logs-ingestion-api-overview) (DCE/DCR).

Upwind provides runtime-powered cloud security, correlating cloud posture with live workload context. This connector surfaces your Upwind inventory — compute platform assets across AWS, GCP, and Azure — directly into Microsoft Sentinel for correlation, hunting, and incident enrichment.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions and the Azure Monitor Ingestion API (DCE/DCR) to push Upwind logs into Microsoft Sentinel. The ARM template automatically creates the Data Collection Endpoint, custom log table (`UpwindLogsAssets_CL`), Data Collection Rule, and role assignment. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/) for details.""}, {""title"": """", ""description"": "">**(Optional)** During deployment, choose **Key Vault** as the authentication method to securely store your Upwind client secret. You can provide an existing Key Vault name or let the template create a new one. A user-assigned managed identity is automatically configured with the required Key Vault access policies.""}, {""title"": ""STEP 1 \u2013 Obtain Upwind API credentials"", ""description"": ""1. Log in to the **[Upwind platform](https://app.upwind.io)**.\n2. Navigate to **Settings \u2192 API Keys**.\n3. Create a new API key and note the **Client ID** and **Client Secret**.\n4. Navigate to **Settings \u2192 Organization** and note your **Organization ID**.""}, {""title"": ""STEP 2 \u2013 Deploy the Azure Function App"", ""description"": ""Click **Deploy to Azure** and fill in the parameters. The template automatically creates the DCE, `UpwindLogs_CL` table, DCR, role assignment, and Function App.\n\n[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-Upwind-azuredeploy)\n\n**Parameters to fill in:**\n\n| Parameter | Description |\n|---|---|\n| `WorkspaceName` | Name of your Log Analytics / Microsoft Sentinel workspace |\n| `UpwindOrgId` | Upwind Organization ID from Step 1 |\n| `UpwindClientId` | Upwind API Client ID from Step 1 |\n| `UpwindClientSecret` | Upwind API Client Secret from Step 1 |\n| `AppInsightsWorkspaceResourceID` | Full Resource ID of the Log Analytics workspace (from **Log Analytics workspace \u2192 Properties**) |"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""Upwind API Credentials"", ""description"": ""An Upwind API client ID and client secret are required. Obtain these from your Upwind platform under **Settings \u2192 API Keys**. The client credentials are used to authenticate against `https://auth.upwind.io/oauth/token` to obtain a bearer token.""}, {""name"": ""Upwind Organization ID"", ""description"": ""Your Upwind Organization ID is required. Find it in the Upwind platform under **Settings \u2192 Organization**.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Upwind/Data%20Connectors/UpwindLogsLoader_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","Upwind","false","","true","","","","Log Ingestion API","Sibling ARM template declares DCR / Log Ingestion API resources","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#upwind-logs-loader-ingestion-api" +"UtimacoESKMConnector","Utimaco","Utimaco Enterprise Secure Key Manager (ESKM)","The Utimaco ESKM connector ingests KMIP server logs from Utimaco Enterprise Secure Key Manager (ESKM) into Microsoft Sentinel.

Supports Basic authentication (username/password).

For more information, visit [Utimaco ESKM Documentation](https://utimaco.com/key-management/enterprise-secure-key-manager).","[{""title"": ""Step 1 - Prerequisites"", ""description"": ""Ensure you have a Utimaco ESKM management account with permissions to access the management API. Note the base URL of your ESKM appliance (typically `https://:8443`).""}, {""title"": ""Step 2 - Connect to Utimaco ESKM"", ""description"": ""Provide your Utimaco ESKM management API base URL and account credentials below, then click Connect."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""API Base URL"", ""placeholder"": ""https://:8443"", ""type"": ""text"", ""name"": ""BaseUrl"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Username"", ""placeholder"": ""Enter username"", ""type"": ""text"", ""name"": ""username"", ""validations"": {""required"": true}}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Password"", ""placeholder"": ""Enter password"", ""type"": ""password"", ""name"": ""password"", ""validations"": {""required"": true}}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""connect"", ""name"": ""connect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false}}], ""customs"": [{""name"": ""Utimaco ESKM Account Credentials"", ""description"": ""Utimaco ESKM account credentials (username and password) are required to authenticate to the ESKM management API. See [Utimaco ESKM Documentation](https://utimaco.com/key-management/enterprise-secure-key-manager).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Utimaco%20Enterprise%20Secure%20Key%20Manager/Data%20Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_ConnectorDefinition.json","","CCF","Has dcrConfig with RestApiPoller","","","","","false","Utimaco Enterprise Secure Key Manager","false","","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Utimaco%20Enterprise%20Secure%20Key%20Manager/Data%20Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Utimaco%20Enterprise%20Secure%20Key%20Manager/Data%20Connectors/sentinel-connectors/UtimacoESKM_CCF/UtimacoESKM_PollingConfig.json","Basic;Paging","","","","" "VMRay","VMRay","VMRayThreatIntelligence","VMRayThreatIntelligence connector automatically generates and feeds threat intelligence for all submissions to VMRay, improving threat detection and incident response in Sentinel. This seamless integration empowers teams to proactively address emerging threats.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to the VMRay API to pull VMRay Threat IOCs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) and [Azure Blob Storage pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Deploy VMRay Threat Intelligence Connector"", ""description"": ""1. Ensure you have all the required prerequisites: **Client ID**, **Tenant ID**, **Client Secret**, **VMRay API Key**, and **VMRay Base URL**.\n2. To obtain the Client ID, Client Secret, and Tenant ID, [follow these instructions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VMRay#vmray-configurations)\n3. For the **Flex Consumption Plan**, click the **Deploy to Azure** button below:\n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-VMRay-azuredeployflex)\n\n4. For the **Premium Plan**, click the **Deploy to Azure** button below:\n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-VMRay-azuredeploypremium).""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Azure Subscription"", ""description"": ""Azure Subscription with owner role is required to register an application in azure active directory() and assign role of contributor to app in resource group.""}, {""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""REST API Credentials/permissions"", ""description"": ""**VMRay API Key** is required.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMRay/Data%20Connectors/VMRayThreatIntelligence_FunctionApp.json","","Azure Function (TI Upload API)","Connector code uses Sentinel TI Upload Indicators API (api.ti.sentinel.azure.com)","","","","ThreatIntelligenceIndicator.SourceSystem !contains ""VMRay"" | ThreatIntelligenceIndicator.SourceSystem contains ""VMRay""","false","VMRay","false","","true","","","","STIX 2.1 Upload Indicators API","Connector code references STIX 2.1 Upload Indicators API endpoint (matched 'api.ti.sentinel.azure.com')","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#vmraythreatintelligence-using-azure-functions" "VMwareCarbonBlack","VMware","[DEPRECATED] VMware Carbon Black Cloud (using Azure Function)","The [VMware Carbon Black Cloud](https://www.broadcom.com/products/carbon-black/threat-prevention/carbon-black-cloud) connector provides the capability to ingest Carbon Black data into Microsoft Sentinel. The connector provides visibility into Audit, Notification and Event logs in Microsoft Sentinel to view dashboards, create custom alerts, and to improve monitoring and investigation capabilities.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to VMware Carbon Black to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": "">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App.""}, {""title"": """", ""description"": ""**STEP 1 - Configuration steps for the VMware Carbon Black API**\n\n [Follow these instructions](https://developer.carbonblack.com/reference/carbon-black-cloud/authentication/#creating-an-api-key) to create an API Key.""}, {""title"": """", ""description"": ""**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the VMware Carbon Black connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the VMware Carbon Black API Authorization Key(s), readily available."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Option 1 - Azure Resource Manager (ARM) Template"", ""description"": ""This method provides an automated deployment of the VMware Carbon Black connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinelcarbonblackazuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinelcarbonblackazuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **Log Types**, **API ID(s)**, **API Key(s)**, **Carbon Black Org Key**, **S3 Bucket Name**, **AWS Access Key Id**, **AWS Secret Access Key**, **EventPrefixFolderName**,**AlertPrefixFolderName**, and validate the **URI**.\n> - Enter the URI that corresponds to your region. The complete list of API URLs can be [found here](https://community.carbonblack.com/t5/Knowledge-Base/PSC-What-URLs-are-used-to-access-the-APIs/ta-p/67346)\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n - Carbon Black requires a seperate set of API ID/Keys to ingest Notification alerts. Enter the SIEM API ID/Key values or leave blank, if not required. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.""}, {""title"": ""Option 2 - Manual Deployment of Azure Functions"", ""description"": ""Use the following step-by-step instructions to deploy the VMware Carbon Black connector manually with Azure Functions.""}, {""title"": """", ""description"": ""**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**.""}, {""title"": """", ""description"": ""**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ Add**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and modify the cron schedule, if needed. The default value is set to run the Function App every 5 minutes. (Note: the Timer trigger should match the `timeInterval` value below to prevent overlapping data), click **Create**.\n4. Click on **Code + Test** on the left pane. \n5. Copy the [Function App Code](https://aka.ms/sentinelcarbonblackazurefunctioncode) and paste into the Function App `run.ps1` editor.\n5. Click **Save**.""}, {""title"": """", ""description"": ""**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following thirteen to sixteen (13-16) application settings individually, with their respective string values (case-sensitive): \n\t\tapiId\n\t\tapiKey\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\ttimeInterval\n\t\tCarbonBlackOrgKey\n\t\tCarbonBlackLogTypes \n\t\ts3BucketName \n\t\tEventPrefixFolderName \n\t\tAlertPrefixFolderName \n\t\tAWSAccessKeyId \n\t\tAWSSecretAccessKey \n\t\tSIEMapiId (Optional)\n\t\tSIEMapiKey (Optional)\n\t\tlogAnalyticsUri (optional) \n> - Enter the URI that corresponds to your region. The complete list of API URLs can be [found here](https://community.carbonblack.com/t5/Knowledge-Base/PSC-What-URLs-are-used-to-access-the-APIs/ta-p/67346). The `uri` value must follow the following schema: `https://.conferdeploy.net` - There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Set the `timeInterval` (in minutes) to the default value of `5` to correspond to the default Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Carbon Black requires a seperate set of API ID/Keys to ingest Notification alerts. Enter the `SIEMapiId` and `SIEMapiKey` values, if needed, or omit, if not required. \n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`\n4. Once all application settings have been entered, click **Save**.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions on the workspace are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}, {""name"": ""VMware Carbon Black API Key(s)"", ""description"": ""Carbon Black API and/or SIEM Level API Key(s) are required. See the documentation to learn more about the [Carbon Black API](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).\n - A Carbon Black **API** access level API ID and Key is required for [Audit](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#audit-log-events) and [Event](https://developer.carbonblack.com/reference/carbon-black-cloud/platform/latest/data-forwarder-config-api/) logs. \n - A Carbon Black **SIEM** access level API ID and Key is required for [Notification](https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/#notifications) alerts.""}, {""name"": ""Amazon S3 REST API Credentials/permissions"", ""description"": ""**AWS Access Key Id**, **AWS Secret Access Key**, **AWS S3 Bucket Name**, **Folder Name in AWS S3 Bucket** are required for Amazon S3 REST API.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20Carbon%20Black%20Cloud/Data%20Connectors/VMwareCarbonBlack_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","VMware Carbon Black Cloud","true","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","" "VMwareESXi","VMWare","[Deprecated] VMware ESXi","The [VMware ESXi](https://www.vmware.com/products/esxi-and-esx.html) connector allows you to easily connect your VMWare ESXi logs with Microsoft Sentinel This gives you more insight into your organization's ESXi servers and improves your security operation capabilities.","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias VMwareESXi and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Parsers/VMwareESXi.yaml), on the second line of the query, enter the hostname(s) of your VMwareESXi device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update."", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Configure the facilities you want to collect and their severities.\n 1. Under workspace advanced settings **Configuration**, select **Data** and then **Syslog**.\n 2. Select **Apply below configuration to my machines** and select the facilities and severities.\n 3. Click **Save**."", ""instructions"": [{""parameters"": {""linkType"": ""OpenSyslogSettings""}, ""type"": ""InstallAgent""}]}, {""title"": ""3. Configure and connect the VMware ESXi"", ""description"": ""1. Follow these instructions to configure the VMWare ESXi to forward syslog: \n - [VMware ESXi 3.5 and 4.x](https://kb.vmware.com/s/article/1016621) \n - [VMware ESXi 5.0+](https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.monitoring.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html)\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""write permission is required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""delete"": true}}], ""customs"": [{""name"": ""VMwareESXi"", ""description"": ""must be configured to export logs via Syslog""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Data%20Connectors/Connector_Syslog_VMwareESXi.json","","AMA","Uses InstallAgent patterns (MMA-era)","","","","Syslog.ProcessName has_any ""hostd-probe,vmkwarning,vpxd-main"" | _Computed.Substring has ""opID=""","true","VMWareESXi","true","","true","","","","","","","" @@ -563,7 +575,7 @@ "VMwarevCenter","VMware","[Deprecated] VMware vCenter","The [vCenter](https://www.vmware.com/in/products/vcenter-server.html) connector allows you to easily connect your vCenter server logs with Microsoft Sentinel. This gives you more insight into your organization's data centers and improves your security operation capabilities.","[{""title"": """", ""description"": ""**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias VMware vCenter and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20vCenter/Parsers/vCenter.txt), on the second line of the query, enter the hostname(s) of your VMware vCenter device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update. \n> 1. If you have not installed the vCenter solution from ContentHub then [Follow the steps](https://aka.ms/sentinel-vCenter-parser) to use the Kusto function alias, **vCenter**"", ""instructions"": []}, {""title"": ""1. Install and onboard the agent for Linux"", ""description"": ""Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents."", ""instructions"": [{""parameters"": {""title"": ""Choose where to install the agent:"", ""instructionSteps"": [{""title"": ""Install agent on Azure Linux Virtual Machine"", ""description"": ""Select the machine to install the agent on and then click **Connect**."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxVirtualMachine""}, ""type"": ""InstallAgent""}]}, {""title"": ""Install agent on a non-Azure Linux Machine"", ""description"": ""Download the agent on the relevant machine and follow the instructions."", ""instructions"": [{""parameters"": {""linkType"": ""InstallAgentOnLinuxNonAzure""}, ""type"": ""InstallAgent""}]}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""2. Configure the logs to be collected"", ""description"": ""Follow the configuration steps below to get vCenter server logs into Microsoft Sentinel. Refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json) for more details on these steps.\n For vCenter Server logs, we have issues while parsing the data by OMS agent data using default settings. \nSo we advice to capture the logs into custom table **vcenter_CL** using below instructions. \n1. Login to the server where you have installed OMS agent.\n2. Download config file vCenter.conf \n\t\twget -v https://aka.ms/sentinel-vcenteroms-conf -O vcenter.conf \n3. Copy vcenter.conf to the /etc/opt/microsoft/omsagent/**workspace_id**/conf/omsagent.d/ folder. \n\t\tcp vcenter.conf /etc/opt/microsoft/omsagent/<>/conf/omsagent.d/\n4. Edit vcenter.conf as follows:\n\n\t a. vcenter.conf uses the port **22033** by default. Ensure this port is not being used by any other source on your server\n\n\t b. If you would like to change the default port for **vcenter.conf** make sure that you dont use default Azure monotoring /log analytic agent ports I.e.(For example CEF uses TCP port **25226** or **25224**) \n\n\t c. replace **workspace_id** with real value of your Workspace ID (lines 13,14,15,18)\n5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:\n\t\tsudo /opt/microsoft/omsagent/bin/service_control restart\n6. Modify /etc/rsyslog.conf file - add below template preferably at the beginning / before directives section \n\n\t\t$template vcenter,\""%timestamp% %hostname% %msg%\\ n\"" \n\n **Note - There is no space between slash(\\\\) and character 'n' in above command.**\n\n 7. Create a custom conf file in /etc/rsyslog.d/ for example 10-vcenter.conf and add following filter conditions.\n\nDownload config file [10-vCenter.conf](https://aka.ms/sentinel-vcenter-conf)\n\n\t With an added statement you will need to create a filter which will specify the logs coming from the vcenter server to be forwarded to the custom table.\n\n\t reference: [Filter Conditions \u2014 rsyslog 8.18.0.master documentation](https://rsyslog.readthedocs.io/en/latest/configuration/filters.html)\n\n\t Here is an example of filtering that can be defined, this is not complete and will require additional testing for each installation.\n\t\t if $rawmsg contains \""vcenter-server\"" then @@127.0.0.1:22033;vcenter\n\t\t & stop \n\t\t if $rawmsg contains \""vpxd\"" then @@127.0.0.1:22033;vcenter\n\t\t & stop\n\t\t \n8. Restart rsyslog\n\t\t systemctl restart rsyslog"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}]}, {""title"": ""3. Configure and connect the vCenter device(s)"", ""description"": ""[Follow these instructions](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-9633A961-A5C3-4658-B099-B81E0512DC21.html) to configure the vCenter to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Include custom pre-requisites if the connectivity requires - else delete customs"", ""description"": ""Description for any custom pre-requisite""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20vCenter/Data%20Connectors/Connector_Syslog_vcenter.json","","AMA","References omsagent","","","","","true","VMware vCenter","true","","true","","","","","","","" "VaikoraSentinel","Data443 Risk Mitigation, Inc.","Vaikora AI Agent Behavioral Signals","Ingest AI agent behavioral signals from the Vaikora API into Microsoft Sentinel using the Codeless Connector Framework (CCF). Monitor agent actions, policy decisions, anomaly scores, and risk levels to detect suspicious AI activity in your environment.","[{""title"": ""Connect Vaikora AI Agent Behavioral Signals"", ""description"": ""To enable the Vaikora connector, enter your Vaikora API key below and click Connect. The Agent ID is optional; use it to scope ingestion to a single agent, or leave it blank to ingest actions from all agents the key can see.\n\nYour API key is available in the [Vaikora dashboard](https://vaikora.com) under **Settings > API Keys**. The Agent ID is the UUID shown on each agent's detail page."", ""instructions"": [{""type"": ""Textbox"", ""parameters"": {""label"": ""Vaikora API Key"", ""placeholder"": ""vk_xxxxxxxxxxxxxxxxxxxxxxxx"", ""type"": ""password"", ""name"": ""vaikoraApiKey""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""Vaikora Agent ID (optional)"", ""placeholder"": ""Leave blank to monitor all agents"", ""type"": ""text"", ""name"": ""vaikoraAgentId""}}, {""type"": ""ConnectionToggleButton"", ""parameters"": {""connectLabel"": ""Connect"", ""name"": ""connect""}}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": false}}], ""customs"": [{""name"": ""Vaikora API Key"", ""description"": ""A Vaikora API key (vk_xxxxx) with read access to the actions endpoint. Obtain this from your Vaikora dashboard under Settings > API Keys.""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Data%20Connectors/VaikoraSentinel_CCF/Vaikora_ConnectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","Vaikora-Sentinel","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Data%20Connectors/VaikoraSentinel_CCF/Vaikora_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vaikora-Sentinel/Data%20Connectors/VaikoraSentinel_CCF/Vaikora_PollerConfig.json","APIKey;Paging","","","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#vaikora-ai-agent-behavioral-signals" "ValenceSecurity","Valence Security","SaaS Security","Connects the Valence SaaS security platform Azure Log Analytics via the REST API interface.","[{""title"": ""Step 1 : Read the detailed documentation"", ""description"": ""The installation process is documented in great detail in [Valence Security's knowledge base](https://support.valencesecurity.com). The user should consult this documentation further to understand installation and debug of the integration.""}, {""title"": ""Step 2: Retrieve the workspace access credentials"", ""description"": ""The first installation step is to retrieve both your **Workspace ID** and **Primary Key** from the Microsoft Sentinel platform.\nCopy the values shown below and save them for configuration of the API log forwarder integration."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId""], ""label"": ""Workspace ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""fillWith"": [""PrimaryKey""], ""label"": ""Primary Key""}, ""type"": ""CopyableLabel""}]}, {""title"": ""Step 3: Configure Sentinel integration on the Valence Security Platform"", ""description"": ""As a Valence Security Platform admin, go to the [configuration screen](https://app.valencesecurity.com/settings/configuration), click Connect in the SIEM Integration card, and choose Microsoft Sentinel. Paste the values from the previous step and click Connect. Valence will test the connection so when success is reported, the connection worked.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Valence%20Security/Data%20Connectors/ValenceSecurity.json","","REST Pull API","Title/description mentions REST API","","","","","false","Valence Security","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#saas-security" -"ValimailEnforceEventsConnector","Valimmail","Valimail Enforce Configuration Events","The [Valimail Configuration Events](https://support.valimail.com/en/articles/13133390-microsoft-sentinel) data connector allows ingesting email domain's configuration events from the Valimail's Reporting API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the Valimail Events API \n Follow the instructions in the [guide to generate a set of Reporting API credentials](https://support.valimail.com/en/articles/11322142-api-key-self-service). Store the created Client ID and the App ID keys.""}}, {""type"": ""Textbox"", ""parameters"": {""description"": ""The slug will be the string after /app/ in the Valimail's URL once you are logged in. \n If you are unsure of your account slug, please reach out to support and we will be more than happy to help you find it."", ""label"": ""Client Account Slug"", ""placeholder"": ""Account slug"", ""type"": ""text"", ""name"": ""accountslug""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Client Id"", ""placeholder"": ""Client Id Credential"", ""type"": ""password"", ""name"": ""clientid""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API App Id"", ""placeholder"": ""App Id Credential"", ""type"": ""password"", ""name"": ""appid""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Data%20Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","ValimailEnforce","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Data%20Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Data%20Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_PollerConfig.json","JwtToken;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#valimail-enforce-configuration-events" +"ValimailEnforceEventsConnector","Valimail","Valimail Enforce Configuration Events","The [Valimail Configuration Events](https://support.valimail.com/en/articles/13133390-microsoft-sentinel) data connector allows ingesting email domain's configuration events from the Valimail's Reporting API into Microsoft Sentinel. The data connector is built on Microsoft Sentinel Codeless Connector Platform.","[{""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Configuration steps for the Valimail Events API \n Follow the instructions in the [guide to generate a set of Reporting API credentials](https://support.valimail.com/en/articles/11322142-api-key-self-service). Store the created Client ID and the App ID keys.""}}, {""type"": ""Textbox"", ""parameters"": {""description"": ""The slug will be the string after /app/ in the Valimail's URL once you are logged in. \n If you are unsure of your account slug, please reach out to support and we will be more than happy to help you find it."", ""label"": ""Client Account Slug"", ""placeholder"": ""Account slug"", ""type"": ""text"", ""name"": ""accountslug""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API Client Id"", ""placeholder"": ""Client Id Credential"", ""type"": ""password"", ""name"": ""clientid""}}, {""type"": ""Textbox"", ""parameters"": {""label"": ""API App Id"", ""placeholder"": ""App Id Credential"", ""type"": ""password"", ""name"": ""appid""}}, {""parameters"": {""label"": ""toggle"", ""name"": ""toggle""}, ""type"": ""ConnectionToggleButton""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""Read and Write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""read"": true, ""write"": true, ""delete"": true, ""action"": false}}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Data%20Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_connectorDefinition.json","","CCF","Uses dataConnectorDefinitions","","","","","false","ValimailEnforce","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Data%20Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Data%20Connectors/ValimailEnforceEventLogs_ccp/ValimailEnforceEventLogs_PollerConfig.json","JwtToken;Paging","","","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#valimail-enforce-configuration-events" "VaronisPurviewPush","Varonis","Varonis Purview Push Connector","The [Varonis Purview](https://www.varonis.com/) connector provides the capability to sync resources from Varonis to Microsoft Purview.","[{""title"": ""1. Run this to setup ingestion for Varonis Resoources"", ""description"": ""This will create the necessary Log Analytics tables, Data Collection Rule (DCR), and an Entra application to securely send data to the DCR."", ""instructions"": [{""type"": ""Markdown"", ""parameters"": {""content"": ""#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \""Deploy\"" will trigger the creation of Log Analytics tables and a Data Collection Rule (DCR). \nIt will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token.""}}, {""parameters"": {""label"": ""Deploy Varonis connector resources"", ""applicationDisplayName"": ""Varonis Purview Connector Application""}, ""type"": ""DeployPushConnectorButton""}]}, {""title"": ""2. Push your logs into the workspace"", ""description"": ""Use the following parameters to configure the Varonis Purview Connector in your Varonis integrations dashboard."", ""instructions"": [{""parameters"": {""label"": ""Tenant ID (Directory ID)"", ""fillWith"": [""TenantId""]}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Application ID"", ""fillWith"": [""ApplicationId""], ""placeholder"": ""Deploy push connector to get the App Registration Application ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Entra App Registration Secret"", ""fillWith"": [""ApplicationSecret""], ""placeholder"": ""Deploy push connector to get the App Registration Secret""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Endpoint Uri"", ""fillWith"": [""DataCollectionEndpoint""], ""placeholder"": ""Deploy push connector to get the Data Collection Endpoint Uri""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Data Collection Rule Immutable ID"", ""fillWith"": [""DataCollectionRuleId""], ""placeholder"": ""Deploy push connector to get the Data Collection Rule Immutable ID""}, ""type"": ""CopyableLabel""}, {""parameters"": {""label"": ""Resources Stream Name"", ""value"": ""Custom-varonisresources""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}], ""customs"": [{""name"": ""Microsoft Entra"", ""description"": ""Permission to create an app registration in Microsoft Entra ID. Typically requires Entra ID Application Developer role or higher.""}, {""name"": ""Microsoft Azure"", ""description"": ""Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR). Typically requires Azure RBAC Owner or User Access Administrator role""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Varonis%20Purview/Data%20Connectors/VaronisPurview_ccp/VaronisPurview_connectorDefinition.json","","CCF Push","CCF Push connector (DCR/DCE based)","","","","","false","Varonis Purview","false","","true","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Varonis%20Purview/Data%20Connectors/VaronisPurview_ccp/VaronisPurview_DCR.json","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Varonis%20Purview/Data%20Connectors/VaronisPurview_ccp/VaronisPurview_dataConnector.json","Push","Log Ingestion API","CCF Push connectors use DCR-based Log Ingestion API","","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#varonis-purview-push-connector" "VaronisSaaS","Varonis","Varonis SaaS","Varonis SaaS provides the capability to ingest [Varonis Alerts](https://www.varonis.com/products/datalert) into Microsoft Sentinel.

Varonis prioritizes deep data visibility, classification capabilities, and automated remediation for data access. Varonis builds a single prioritized view of risk for your data, so you can proactively and systematically eliminate risk from insider threats and cyberattacks.","[{""title"": """", ""description"": "">**NOTE:** This connector uses Azure Functions to connect to Varonis DatAlert service to pull alerts into Microsoft Sentinel. This might result in additional data ingestion costs. See the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.""}, {""title"": """", ""description"": ""**For Azure function and related services installation use:**\n\n [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVaronisSaaS%2FData%2520Connectors%2Fazuredeploy.json)""}, {""title"": """", ""description"": ""STEP 1 - Obtain the Varonis DatAlert Endpoint API credentials.\n\n To generate the Client ID and API key:\n 1. Launch the Varonis Web Interface.\n 2. Navigate to Configuration -> API Keys. The API Keys page is displayed.\n 3. Click Create API Key. The Add New API Key settings are displayed on the right.\n 4. Fill in the name and description.\n 5. Click the Generate Key button.\n 6. Copy the API key secret and save it in a handy location. You won't be able to copy it again.\n\nFor additional information, please check: [Varonis Documentation](https://help.varonis.com/s/document-item?bundleId=ami1661784208197&topicId=emp1703144742927.html&_LANG=enus)""}, {""title"": """", ""description"": ""STEP 2 - Deploy the connector and the associated Azure Function."", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceName""], ""label"": ""Workspace Name""}, ""type"": ""CopyableLabel""}]}, {""title"": """", ""description"": ""Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVaronisSaaS%2FData%2520Connectors%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create.""}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Microsoft.Web/sites permissions"", ""description"": ""Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/).""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VaronisSaaS/Data%20Connectors/VaronisSaaS_API_FunctionApp.json","","Azure Function","Filename indicates Azure Function","","","","","false","VaronisSaaS","false","","true","","","","HTTP Data Collector API","Connector definition requires workspace key (SharedKey pattern)","true","https://learn.microsoft.com/azure/sentinel/data-connectors-reference#varonis-saas" "VectraStreamAma","Vectra AI","[Recommended] Vectra AI Stream via AMA","The Vectra AI Stream connector allows to send Network Metadata collected by Vectra Sensors accross the Network and Cloud to Microsoft Sentinel","[{""title"": """", ""description"": "">**NOTE:** This data connector depends on parsers based on a Kusto Function to work as expected which are deployed as part of the Microsoft Sentinel Solution."", ""instructions"": []}, {""title"": """", ""description"": "">**IMPORTANT:** Vectra AI Stream connector is only available for **Linux** agents with **syslog-ng**. Make sure that syslog-ng is installed!\n\n In the first part, we are going to create the custom tables requires for this solution (using an ARM template). Then we are going to configure the Data Connector."", ""instructions"": [{""parameters"": {""title"": ""Please proceed with these steps:"", ""instructionSteps"": [{""title"": ""Step 1. Create custom tables in Log Analytic Workspace (ARM Template)"", ""description"": ""1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fvectranetworks%2FMicrosoft_Sentinel%2Fmain%2FStream%2FAMA%2FARM_Templates%2Fazuredeploy_CustomTables_connector.json)\n2. Provide the required details such as the resource group and Microsoft Log Analytics Workspace (**the workspace must exist!**)\n4. Click **Review + Create** to deploy.\n\n\t_Note: Once deployed, you must be able to see the custom tables in your Log Analytic Workspace (Settings ---> Tables)._"", ""instructions"": []}, {""title"": ""Step 2. Install the Syslog via AMA Data connector"", ""description"": ""_Note: This is only required if it has not been install yet in Microsoft Sentinel._\n1. Microsoft Sentinel workspace ---> Content Management ---> Content Hub.\n\n2. Search for 'Syslog' (Provider is Microsoft) and select it.\n\n3. Check 'Install' buton on the bottom of the right panel."", ""instructions"": []}, {""title"": ""Step 3. Configure the Syslog via AMA data connector"", ""description"": ""_Note: Two different Data Collection Rules (DCR) are going to be created during this step_\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector.\n\n2. Search for 'Syslog via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs: LOG_USER/LOG_NOTICE and LOG_LOCAL0/LOG_NOTICE.\n\n4. Create a first DCR (Data Collection Rule). Specify a name. Then, in the Resources tab, select the instance where AMA is going to run. In the Collect tab, select LOG_USER/LOG_NOTICE.\n\n5. Create a second DCR. Specify a different name. Then, in the Resources tab, choose the same host. In the Collect tab, select LOG_LOCAL0/LOG_NOTICE\n\n\n\n\tNote:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy."", ""instructions"": []}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": """", ""description"": ""In the next section, we are goning to modify the syslog-ng configuration that has been created where the AMA is deployed. Then, we are going to modify the DCR configuration to be able to sent the network metadata from Vectra Stream to different custom tables."", ""instructions"": [{""parameters"": {""title"": ""Please proceed with these steps:"", ""instructionSteps"": [{""title"": ""Step 1. Modify the syslog-ng configuration"", ""description"": ""_Note: A DCR cannot have more than 10 output flows. As we have 16 custom tables in this solution, we need to split the traffic to two DCR using syslog-ng._\n1. Download the modified syslog-ng configuration file: [azuremonitoragent-tcp.conf](https://raw.githubusercontent.com/vectranetworks/Microsoft_Sentinel/main/Stream/AMA/syslog-ng/azuremonitoragent-tcp.conf).\n2. Log into the instance where syslog-ng/AMA is running.\n3. Browse to /etc/syslog-ng/conf.d/ and replace the content of _azuremonitoragent-tcp.conf_ file with the one that you just downloaded.\n4. Save and restart syslog-ng (_systemctl restart syslog-ng_)."", ""instructions"": []}, {""title"": ""Step 2. Modify the Data Collection rules configuration"", ""description"": ""_Note: The Data Collection Rules that have been created are located in Azure Monitor (**Monitor ---> Settings ---> Data Collection Rules**)_\n 1. Locate the 2 DCR that you created in Microsoft Sentinel.\n 2. Open the first DCR where Syslog facility is LOG_USER. Then go to Automation ---> Export template ---> Deploy --> Edit template.\n 3. Download the dataFlows configuration for LOG_USER DCR: [Stream_DataFlows_dcr1.json](https://raw.githubusercontent.com/vectranetworks/Microsoft_Sentinel/main/Stream/AMA/dcr/Stream_DataFlows_dcr1.json) and find/replace the destination placeholder '' with your workspace name.\n 4. Locate the dataFlows section in the template (Azure Monitor) and replace it with the content of the configuration you downloaded.\n 5. In the same DCR, locate the key: resources -> properties -> destinations -> name and replace 'DataCollectionEvent' with the name of the Log Analytics Workspace (same as step 3).\n 6. Save --> Review + Create --> Create.\n 7. Open the second DCR than you created (Facilily is LOG_LOCAL0) and edit the template (Automation ---> Export template ---> Deploy --> Edit template).\n 8. Download the dataFlows configuration for LOG_LOCAL0 DCR: [Stream_DataFlows_dcr2.json](https://raw.githubusercontent.com/vectranetworks/Microsoft_Sentinel/main/Stream/AMA/dcr/Stream_DataFlows_dcr2.json) and find/replace the destination placeholder '' with your wokrspace name.\n 9. Locate the dataFlows section in the template (Azure Monitor) and replace it with the content of the configuration you downloaded.\n 10. In the same DCR, locate the key: resources -> properties -> destinations -> name and replace 'DataCollectionEvent' with the name of the Log Analytics Workspace.\n 11. Save --> Review + Create --> Create."", ""instructions"": []}]}, ""type"": ""InstructionStepsGroup""}]}, {""title"": ""Configure Vectra AI Stream"", ""description"": ""\nConfigure Vectra AI Brain to forward Stream metadata in JSON format to your Microsoft Sentinel workspace via AMA.\n\nFrom the Vectra UI, navigate to Settings > Stream and Edit the destination configuration:\n\n 1. Select Publisher: RAW JSON\n 2. Set the server IP or hostname (which is the host whhere AMA is running)\n 3. Set all the port to **514**.\n 4. Save.""}, {""title"": ""Run the following command to validate (or set up) that syslog-ng is listening on port 514"", ""instructions"": [{""parameters"": {""fillWith"": [""WorkspaceId"", ""PrimaryKey""], ""label"": """", ""value"": ""sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py""}, ""type"": ""CopyableLabel""}]}]","{""resourceProvider"": [{""provider"": ""Microsoft.OperationalInsights/workspaces"", ""permissionsDisplayText"": ""read and write permissions are required."", ""providerDisplayName"": ""Workspace"", ""scope"": ""Workspace"", ""requiredPermissions"": {""write"": true, ""read"": true, ""delete"": true}}, {""provider"": ""Microsoft.OperationalInsights/workspaces/sharedKeys"", ""permissionsDisplayText"": ""read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)."", ""providerDisplayName"": ""Keys"", ""scope"": ""Workspace"", ""requiredPermissions"": {""action"": true}}], ""customs"": [{""name"": ""Vectra AI Stream configuration"", ""description"": ""must be configured to export Stream metadata in JSON""}, {""description"": ""To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)""}]}","false","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Vectra%20AI%20Stream/Data%20Connectors/template_VectraStreamAma.json","","AMA","Title/ID indicates AMA","","","","","false","Vectra AI Stream","false","","true","","","","","","","" diff --git a/Tools/Solutions Analyzer/content_items.csv b/Tools/Solutions Analyzer/content_items.csv index 8ed409c66c6..c9bbb38ce56 100644 --- a/Tools/Solutions Analyzer/content_items.csv +++ b/Tools/Solutions Analyzer/content_items.csv @@ -18,19 +18,19 @@ "51617533-cf51-4415-9020-b15bd47d69d2","1Password - Vault export prior to account suspension or deletion","analytic_rule","This will alert when a successful vault export has occurred within the last 14 days prior to an account being suspended or deleted from 1Password. Ref: https://1password.com/ Ref: https://github.com/securehats/","1Password - Vault export prior to account suspension or deletion.yaml","","","Medium","","Scheduled","CredentialAccess","T1555","1Password","has_query","","","","","","Solution","","","","","false","1Password","1Password","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password","true" "dae4c601-51c9-47f5-83d3-e6eaef929cf6","1Password - Vault export","analytic_rule","This will alert when a successful vault export has occurred within 1Password. Ref: https://1password.com/ Ref: https://github.com/securehats/","1Password - Vault Export.yaml","","","Low","","Scheduled","CredentialAccess","T1555","1Password","has_query","","","","","","Solution","","","","","false","1Password","1Password","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password","true" "","1Password","workbook","","1Password.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","1Password","1Password","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password","true" -"25c86f99-0a91-4b7f-88f3-599a008e5ab8","API - Account Takeover","analytic_rule","'42Crunch API protection against account takeover'","APIAccountTakeover.yaml","","","High","Available","Scheduled","CredentialAccess,Discovery","T1110,T1087","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"2c59e609-e0a0-4e8e-adc5-ab4224be8a36","API - Anomaly Detection","analytic_rule","'42Crunch API protection anomaly detection'","APIAnomalyDetection.yaml","","","Low","Available","Scheduled","Reconnaissance","T1593,T1589","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"d944d564-b6fa-470d-b5ab-41b341878c5e","API - API Scraping","analytic_rule","'42Crunch API protection against API scraping'","APIAPIScaping.yaml","","","High","Available","Scheduled","Reconnaissance,Collection","T1593,T1119","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"1b047dc3-a879-4f99-949b-d1dc867efc83","API - BOLA","analytic_rule","'42Crunch API protection against BOLA'","APIBOLA.yaml","","","Medium","Available","Scheduled","Exfiltration","T1020","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"c6258d51-7b82-4942-8293-94c1dcf91595","API - Rate limiting","analytic_rule","'42Crunch API protection against first-time access'","APIFirstTimeAccess.yaml","","","Low","Available","Scheduled","Discovery,InitialAccess","T1087,T1190","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"28500be7-cfcf-40e1-bad4-bc524e9283e2","API - Invalid host access","analytic_rule","'42Crunch API protection against invalid host access'","APIInvalidHostAccess.yaml","","","Low","Available","Scheduled","Reconnaissance","T1592","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"bbd163f4-1f56-434f-9c23-b06713c119c2","API - JWT validation","analytic_rule","'42Crunch API protection against JWT validation'","APIJWTValidation.yaml","","","Low","Available","Scheduled","InitialAccess,CredentialAccess","T1190,T1528","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"421b38ec-4295-4aed-8299-c92e268ad663","API - Kiterunner detection","analytic_rule","'42Crunch API protection against Kiterunner enumeration'","APIKiterunnerDetection.yaml","","","Medium","Available","Scheduled","Reconnaissance,Discovery","T1595,T1580,T1083","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"d951d64d-0ecd-4675-8c79-6c870d5f72ac","API - Password Cracking","analytic_rule","'42Crunch API protection against password cracking'","APIPasswordCracking.yaml","","","High","Available","Scheduled","CredentialAccess","T1110,T1555,T1187","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"b808063b-07d5-432c-95d0-8900da61cce9","API - Rate limiting","analytic_rule","'42Crunch API protection against rate limiting'","APIRateLimiting.yaml","","","Medium","Available","Scheduled","Impact","T1499","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"7bdc10d6-aa24-4ca9-9a93-802cd8761354","API - Suspicious Login","analytic_rule","'42Crunch API protection against suspicious login'","APISuspiciousLogin.yaml","","","High","Available","Scheduled","CredentialAccess,InitialAccess","T1110,T1190","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"","42CrunchAPIProtectionWorkbook","workbook","","42CrunchAPIProtectionWorkbook.json","","","","","","","","","has_query","","","_Computed.Status == ""200"" | _Computed.Status != ""200""","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" -"e7ebd785-c392-4f3c-872e-528684931bd8","FortyTwoCrunchAPIProtection","parser","","FortyTwoCrunchAPIProtection.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","true" +"25c86f99-0a91-4b7f-88f3-599a008e5ab8","API - Account Takeover","analytic_rule","'42Crunch API protection against account takeover'","APIAccountTakeover.yaml","","","High","Available","Scheduled","CredentialAccess,Discovery","T1110,T1087","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"2c59e609-e0a0-4e8e-adc5-ab4224be8a36","API - Anomaly Detection","analytic_rule","'42Crunch API protection anomaly detection'","APIAnomalyDetection.yaml","","","Low","Available","Scheduled","Reconnaissance","T1593,T1589","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"d944d564-b6fa-470d-b5ab-41b341878c5e","API - API Scraping","analytic_rule","'42Crunch API protection against API scraping'","APIAPIScaping.yaml","","","High","Available","Scheduled","Reconnaissance,Collection","T1593,T1119","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"1b047dc3-a879-4f99-949b-d1dc867efc83","API - BOLA","analytic_rule","'42Crunch API protection against BOLA'","APIBOLA.yaml","","","Medium","Available","Scheduled","Exfiltration","T1020","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"c6258d51-7b82-4942-8293-94c1dcf91595","API - Rate limiting","analytic_rule","'42Crunch API protection against first-time access'","APIFirstTimeAccess.yaml","","","Low","Available","Scheduled","Discovery,InitialAccess","T1087,T1190","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"28500be7-cfcf-40e1-bad4-bc524e9283e2","API - Invalid host access","analytic_rule","'42Crunch API protection against invalid host access'","APIInvalidHostAccess.yaml","","","Low","Available","Scheduled","Reconnaissance","T1592","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"bbd163f4-1f56-434f-9c23-b06713c119c2","API - JWT validation","analytic_rule","'42Crunch API protection against JWT validation'","APIJWTValidation.yaml","","","Low","Available","Scheduled","InitialAccess,CredentialAccess","T1190,T1528","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"421b38ec-4295-4aed-8299-c92e268ad663","API - Kiterunner detection","analytic_rule","'42Crunch API protection against Kiterunner enumeration'","APIKiterunnerDetection.yaml","","","Medium","Available","Scheduled","Reconnaissance,Discovery","T1595,T1580,T1083","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"d951d64d-0ecd-4675-8c79-6c870d5f72ac","API - Password Cracking","analytic_rule","'42Crunch API protection against password cracking'","APIPasswordCracking.yaml","","","High","Available","Scheduled","CredentialAccess","T1110,T1555,T1187","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"b808063b-07d5-432c-95d0-8900da61cce9","API - Rate limiting","analytic_rule","'42Crunch API protection against rate limiting'","APIRateLimiting.yaml","","","Medium","Available","Scheduled","Impact","T1499","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"7bdc10d6-aa24-4ca9-9a93-802cd8761354","API - Suspicious Login","analytic_rule","'42Crunch API protection against suspicious login'","APISuspiciousLogin.yaml","","","High","Available","Scheduled","CredentialAccess,InitialAccess","T1110,T1190","42CrunchAPIProtection,FortyTwoCrunchAPIProtection","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"","42CrunchAPIProtectionWorkbook","workbook","","42CrunchAPIProtectionWorkbook.json","","","","","","","","","has_query","","","_Computed.Status == ""200"" | _Computed.Status != ""200""","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" +"e7ebd785-c392-4f3c-872e-528684931bd8","FortyTwoCrunchAPIProtection","parser","","FortyTwoCrunchAPIProtection.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","42Crunch API Protection","42Crunch API Protection","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/42Crunch%20API%20Protection","false" "","AbuseIPDB Blacklist Ip To Threat Intelligence","playbook","By every day reccurence, this playbook gets triggered and performs the following actions: 1. Gets [list](https://docs.abuseipdb.com/#blacklist-endpoint) of the most reported IP addresses form the Blacklist Endpoint.","AbuseIPDB-BlacklistIpToThreatIntelligence/azuredeploy.json","AbuseIPDB-BlacklistIpToThreatIntelligence/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","AbuseIPDB","AbuseIPDB","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AbuseIPDB","true" "","AbuseIPDB Enrich Incident By IP Info","playbook","Once a new sentinal incident is created, this playbook gets triggered and performs the following actions: 1. [Gets Information](https://docs.abuseipdb.com/#check-endpoint) from AbuseIPDB by IP`s, provided in the alert custom entities. 2. Enriches the incident with the obtained info.","AbuseIPDB-EnrichIncidentByIPInfo/azuredeploy.json","AbuseIPDB-EnrichIncidentByIPInfo/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","AbuseIPDB","AbuseIPDB","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AbuseIPDB","true" "","AbuseIPDB Report IPs To AbuseIPDB After User Response In MSTeams","playbook","When a new sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Sends an adaptive card to the Teams channel where the analyst can choose an action to be taken.","AbuseIPDB-ReportIPsAfterUserResponseInMSTeams/azuredeploy.json","AbuseIPDB-ReportIPsAfterUserResponseInMSTeams/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","AbuseIPDB","AbuseIPDB","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AbuseIPDB","true" @@ -52,7 +52,7 @@ "aaf57371-02c0-4bf5-8c03-dfeb6536e397","Acronis - Protection Service Errors","hunting_query","Various errors related to Active Protection or CPS malfunctions.","AcronisProtectionServiceErrors.yaml","","","","","","","","","has_query","Acronis","","CommonSecurityLog.DeviceEventClassID in ""ActiveProtectionDriverRemediated,ActiveProtectionInvalidNetworkRecoveryPath,ActiveProtectionServiceConflict,ActiveProtectionServiceFailureToApplyPolicy,ActiveProtectionServiceNotAvailable,ActiveProtectionServiceNotRunning,CPSProtectionFailureDetected,ProtectionServiceNotWorking"" | CommonSecurityLog.DeviceVendor == ""Acronis""","","","Solution","","","","","false","Acronis Cyber Protect Cloud","Acronis Cyber Protect Cloud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis%20Cyber%20Protect%20Cloud","true" "39310cb8-53bc-47c1-86c4-2ff9f0d3cc5f","Acronis - ASZ defence: Unauthorized operation is detected and blocked","hunting_query","An attempt to modify the protected Acronis Secure Zone partition was blocked.","AcronisUnauthorizedOperationIsDetected.yaml","","","","","","","","","has_query","Acronis","","CommonSecurityLog.DeviceEventClassID == ""ActiveProtectionDetectedAszPartitionAccessed"" | CommonSecurityLog.DeviceVendor == ""Acronis""","","","Solution","","","","","false","Acronis Cyber Protect Cloud","Acronis Cyber Protect Cloud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis%20Cyber%20Protect%20Cloud","true" "","InfoSecGlobal","workbook","","InfoSecGlobal.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","AgileSec Analytics Connector","AgileSec Analytics Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AgileSec%20Analytics%20Connector","true" -"","AIA-Darktrace","workbook","","AIA-Darktrace.json","","","","","","","","","has_query","Darktrace","AI Analyst;Enterprise Immune System","CommonSecurityLog.Activity !contains ""saas"" | CommonSecurityLog.Activity contains ""Antigena"" | CommonSecurityLog.Activity contains ""Compliance"" | CommonSecurityLog.Activity contains ""iaas"" | CommonSecurityLog.Activity contains ""saas"" | CommonSecurityLog.DestinationIP !startswith ""10"" | CommonSecurityLog.DestinationIP !startswith ""172"" | CommonSecurityLog.DestinationIP !startswith ""192"" | CommonSecurityLog.DeviceName contains ""#"" | CommonSecurityLog.DeviceProduct in ""AI Analyst,Enterprise Immune System"" | CommonSecurityLog.DeviceVendor == ""Darktrace"" | _Computed.status != ""True""","","","Solution","","","","","false","AI Analyst Darktrace","AI Analyst Darktrace","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AI%20Analyst%20Darktrace","true" +"","AIA-Darktrace","workbook","","AIA-Darktrace.json","","","","","","","","","has_query","Darktrace","AI Analyst;Enterprise Immune System","CommonSecurityLog.Activity !contains ""saas"" | CommonSecurityLog.Activity contains ""Antigena"" | CommonSecurityLog.Activity contains ""Compliance"" | CommonSecurityLog.Activity contains ""iaas"" | CommonSecurityLog.Activity contains ""saas"" | CommonSecurityLog.DestinationIP !startswith ""10"" | CommonSecurityLog.DestinationIP !startswith ""172"" | CommonSecurityLog.DestinationIP !startswith ""192"" | CommonSecurityLog.DeviceName contains ""#"" | CommonSecurityLog.DeviceProduct in ""AI Analyst,Enterprise Immune System"" | CommonSecurityLog.DeviceVendor == ""Darktrace"" | _Computed.status != ""True""","","","Solution","","","","","false","AI Analyst Darktrace","AI Analyst Darktrace","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AI%20Analyst%20Darktrace","false" "97a76b2d-02ea-4ae5-b0c4-79e834036481","Guardian- Ban Topic Policy Violation Detection","analytic_rule","'This alert creates an incident when Ban Topic Policy Violation detected from the Guardian.'","BanTopicVulDetection.yaml","","","Medium","Available","Scheduled","","","BoschAIShield","has_query","","","","","","Solution","","","","","false","AIShield AI Security Monitoring","AIShield AI Security Monitoring","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring","true" "e7493b80-88d0-44fb-b11d-40a0467cc497","Guardian- BII Detection Policy Violation Detection","analytic_rule","'This alert creates an incident when BII Detection Policy Violation detected from the Guardian.'","BIIDetectionVulDetection.yaml","","","High","Available","Scheduled","","","BoschAIShield","has_query","","","","","","Solution","","","","","false","AIShield AI Security Monitoring","AIShield AI Security Monitoring","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring","true" "e5d9eea1-3250-49ba-9e39-b5678ec7496b","Guardian- Block Competitor Policy Violation Detection","analytic_rule","'This alert creates an incident when a Block Competitor Policy Violation is detected from the Guardian.'","BlockCompetitorVulDetection.yaml","","","Low","Available","Scheduled","","","BoschAIShield","has_query","","","","","","Solution","","","","","false","AIShield AI Security Monitoring","AIShield AI Security Monitoring","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring","true" @@ -95,6 +95,11 @@ "","GuardianDashboard","workbook","","GuardianDashboard.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","AIShield AI Security Monitoring","AIShield AI Security Monitoring","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring","true" "574a5c4d-051c-41c8-83a9-f06962e14d85","AIShield","parser","","AIShield.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","AIShield AI Security Monitoring","AIShield AI Security Monitoring","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring","true" "8f225af4-b1f6-4598-9cff-e85a0ee8a909","Guardian","parser","","Guardian.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","AIShield AI Security Monitoring","AIShield AI Security Monitoring","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AIShield%20AI%20Security%20Monitoring","true" +"","GuardicoreIncident","workbook","","GuardicoreIncident.json","","","","","","","","","has_query","","","_Computed.Direction != ""Internal"" | _Computed.destination_node_type == ""internet"" | _Computed.source_node_type == ""internet""","","","Solution","","","","","false","Akamai Guardicore","Akamai Guardicore","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore","false" +"","GuardicoreInfo","workbook","","GuardicoreInfo.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Akamai Guardicore","Akamai Guardicore","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore","false" +"","Akamai Guardicore Incident-Enrichment — one-click bootstrap","playbook","Deploys the entire Akamai Guardicore incident-enrichment stack in one shot: Storage Account + GuardicoreConnectionSlots Azure Table, Data Collection Endpoint (or reuses an existing one), Data Collection Rule, two custom log tables, two Logic Apps (trigger playbook + recurrence runner), and the role assignments the Logic Apps' managed identities need to write to the DCR and the storage account. After deployment, the only manual step is wiring the trigger playbook to a Microsoft Sentinel automatio","azuredeploy.json","readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Akamai Guardicore","Akamai Guardicore","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore","false" +"","Guardicore-EnrichmentRunner","playbook","Recurrence-triggered Logic App that drains the GuardicoreConnectionSlots Azure Table work queue, fetches Guardicore /api/v3.0/connections for each due slot's 5-minute window, and ingests the results into GuardicoreEnrichingConnections_CL via the Logs Ingestion API. Companion to the Guardicore-ProcessIncidentEnrichment playbook. No Azure Function App is deployed.","Guardicore-EnrichmentRunner/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Akamai Guardicore","Akamai Guardicore","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore","false" +"","Guardicore-ProcessIncidentEnrichment","playbook","This playbook reacts to a Microsoft Sentinel incident, computes the 3-slot fan-out over the incident's IP entities, writes slot-claim rows to the GuardicoreConnectionSlots Azure Table, and posts one slot-manifest record per slot to the GuardicoreProcessedIncidents_CL custom log via the Logs Ingestion API. The actual Guardicore /api/v3.0/connections fetch is performed asynchronously by the companion Guardicore-EnrichmentRunner Logic App. (Function-App-free architecture.)","Guardicore-ProcessIncidentEnrichment/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Akamai Guardicore","Akamai Guardicore","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Guardicore","false" "9db78fa7-e565-45ee-8478-e562630b084a","AkamaiSIEMEvent","parser","","AkamaiSIEMEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Akamai Security Events","Akamai Security Events","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Akamai%20Security%20Events","true" "e310f050-75af-4059-b0ff-0ae7c7db8120","AliCloud","parser","","AliCloud.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Alibaba Cloud","Alibaba Cloud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alibaba%20Cloud","true" "9649e203-3cb7-47ff-89a9-42f2a5eefe31","Alsid Active Directory attacks pathways","analytic_rule","'Searches for triggered Indicators of Exposures related to Active Directory attacks pathways'","ADAttacksPathways.yaml","","","Low","Available","Scheduled","CredentialAccess","T1110","AlsidForAD","has_query","","","","","","Solution","","","","","false","Alsid For AD","Alsid For AD","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid%20For%20AD","false" @@ -262,9 +267,9 @@ "fb6c861f-c438-4a5d-ae97-59dfc7af607a","ArmisActivities","parser","","ArmisActivities.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Armis","Armis","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis","true" "7783dff3-1e0a-4622-bdd7-74ee371e4dba","ArmisAlerts","parser","","ArmisAlerts.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Armis","Armis","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis","true" "826eac66-f927-4351-ab5d-483457060ae0","ArmisDevice","parser","","ArmisDevice.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Armis","Armis","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis","true" -"322d4765-be6b-4868-9e3f-138a4f339dd6","Armorblox Needs Review Alert","analytic_rule","'This rule generates an alert for an Armorblox incident where the remediation action is ""Needs Review"".'","ArmorbloxNeedsReviewAlert.yaml","","","Medium","Available","Scheduled","","","Armorblox","has_query","","","","","","Solution","","","","","false","Armorblox","Armorblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox","true" -"","ArmorbloxOverview","workbook","","ArmorbloxOverview.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Armorblox","Armorblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox","true" -"","Needs-Review-Incident-Email-Notification","playbook","This playbook will send an email notification when a new incident is created in Microsoft Sentinel.","Needs-Review-Incident-Email-Notification/azuredeploy.json","Needs-Review-Incident-Email-Notification/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Armorblox","Armorblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox","true" +"322d4765-be6b-4868-9e3f-138a4f339dd6","Armorblox Needs Review Alert","analytic_rule","'This rule generates an alert for an Armorblox incident where the remediation action is ""Needs Review"".'","ArmorbloxNeedsReviewAlert.yaml","","","Medium","Available","Scheduled","","","Armorblox","has_query","","","","","","Solution","","","","","false","Armorblox","Armorblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox","false" +"","ArmorbloxOverview","workbook","","ArmorbloxOverview.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Armorblox","Armorblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox","false" +"","Needs-Review-Incident-Email-Notification","playbook","This playbook will send an email notification when a new incident is created in Microsoft Sentinel.","Needs-Review-Incident-Email-Notification/azuredeploy.json","Needs-Review-Incident-Email-Notification/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Armorblox","Armorblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armorblox","false" "7dabe04d-66c5-4d47-8e3c-7580e807be88","ArubaClearPass","parser","","ArubaClearPass.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Aruba ClearPass","Aruba ClearPass","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Aruba%20ClearPass","true" "91a64f79-c926-4b7f-a77e-b202f79fe4bf","ConfluenceAudit","parser","","ConfluenceAudit.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","AtlassianConfluenceAudit","AtlassianConfluenceAudit","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianConfluenceAudit","true" "5b0cec45-4a91-4f08-bb1b-392427e8f440","Jira - Global permission added","analytic_rule","'Detects when global permission added.'","JiraGlobalPermissionAdded.yaml","","","Medium","Available","Scheduled","PrivilegeEscalation","T1078","JiraAuditAPI","has_query","","","","","","Solution","","","","","false","AtlassianJiraAudit","AtlassianJiraAudit","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit","true" @@ -432,24 +437,24 @@ "c3ac03d5-dbf2-49ab-a2de-83396a20a5fb","Determine users with cluster admin role","hunting_query","'This query determines the cluster-admin role assigned to users and applied to resources across the entire cluster .","AKS-clusterrolebinding.yaml","","","Medium","","","Persistence","T1098","AzureKubernetes","has_query","","","AzureDiagnostics.Category == ""kube-audit"" | AzureDiagnostics.Resource =~ ""ClusterRoleBinding""","","","Solution","","","","","false","Azure kubernetes Service","Azure kubernetes Service","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20kubernetes%20Service","true" "765dce51-689a-44b5-9b38-c9ae9441c7fc","Azure RBAC AKS created role details","hunting_query","'Query get the details of role created for kube-audit.","AKS-Rbac.yaml","","","Medium","","","Persistence","T1098","AzureKubernetes","has_query","","","AzureDiagnostics.Category == ""kube-audit""","","","Solution","","","","","false","Azure kubernetes Service","Azure kubernetes Service","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20kubernetes%20Service","true" "","AksSecurity","workbook","","AksSecurity.json","","","","","","","","","has_query","","","AzureDiagnostics.Category == ""kube-audit"" | AzureDiagnostics.Resource in ""clusterrolebindings,events,pods,secrets"" | SecurityAlert.AlertType in ""K8S_ClusterAdminBinding,K8S_MaliciousContainerExec,K8S_PrivilegedContainer,K8S_SensitiveMount"" | SecurityAlert.AlertType startswith ""K8S_"" | _Computed.name != ""kubernetes-dashboard-key-holder"" | _Computed.name != ""tunnelend"" | _Computed.name != ""tunnelfront""","","","Solution","","","","","false","Azure kubernetes Service","Azure kubernetes Service","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20kubernetes%20Service","true" -"daa32afa-b5b6-427d-93e9-e32f3f359dd7","Credential errors stateful anomaly on database","analytic_rule","'This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When Brute Force attacks are attempted, majority of logins will use wrong credentials, thus will fail with error code 18456. Thus, if we see a large number of logins with such error codes, this could indicate Brute Force attack.'","Detection-ErrorsCredentialStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsErrorAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"daa32afa-b5b6-427d-93e9-e32f3f359dd7","Credential errors stateful anomaly on database","analytic_rule","'This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When Brute Force attacks are attempted, majority of logins will use wrong credentials, thus will fail with error code 18456. Thus, if we see a large number of logins with such error codes, this could indicate Brute Force attack.'","Detection-ErrorsCredentialStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess,CredentialAccess","T1190,T1110.001,T1110.002","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsErrorAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "20f87813-3de0-4a9f-a8c0-6aaa3187be08","Firewall errors stateful anomaly on database","analytic_rule","'This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When attacker attempts to scan or gain access to server protected by firewall, he will be blocked by firewall and fail with error code 40615. Thus, if we see a large number of logins with such error codes, this could indicate attempts to gain access.'","Detection-ErrorsFirewallStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsErrorAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "c815008d-f4d1-4645-b13b-8b4bc188d5de","Syntax errors stateful anomaly on database","analytic_rule","'This query batches of distinct SQL queries that failed with error codes that might indicate malicious attempts to gain illegitimate access to the data. When blind type of attacks are performed (such as SQL injection of fuzzying), the attempted queries are often malformed and fail on wrong syntax (error 102) or wrong escaping (error 105). Thus, if a large number of different queries fail on such errors in a short amount of time, this might indicate attempted attack.'","Detection-ErrorsSyntaxStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsErrorAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"237c3855-138c-4588-a68f-b870abd3bfc9","Drop attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to drop tables or databases (e.g. for data vandalism).'","Detection-HotwordsDropStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"3367fd5e-44b3-4746-a9a5-dc15c8202490","Execution attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to execute shell commands (e.g. for running illegitimate code).'","Detection-HotwordsExecutionStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"05030ca6-ef66-42ca-b672-2e84d4aaf5d7","Firewall rule manipulation attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate firewall rules (e.g. for allowing malicious access to the database).'","Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"237c3855-138c-4588-a68f-b870abd3bfc9","Drop attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to drop tables or databases (e.g. for data vandalism).'","Detection-HotwordsDropStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","Impact","T1485","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"3367fd5e-44b3-4746-a9a5-dc15c8202490","Execution attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to execute shell commands (e.g. for running illegitimate code).'","Detection-HotwordsExecutionStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","Execution","T1059,T1059.001,T1059.003","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"05030ca6-ef66-42ca-b672-2e84d4aaf5d7","Firewall rule manipulation attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate firewall rules (e.g. for allowing malicious access to the database).'","Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","DefenseEvasion,Persistence","T1098,T1562","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "dabd7284-004b-4237-b5ee-a22acab19eb2","OLE object manipulation attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to manipulate OLE objects (e.g. for running malicious commands).'","Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"c105513d-e398-4a02-bd91-54b9b2d6fa7d","Outgoing connection attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to access external sites or resources (e.g. for downloading malicious content).'","Detection-HotwordsOutgoingStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"c105513d-e398-4a02-bd91-54b9b2d6fa7d","Outgoing connection attempts stateful anomaly on database","analytic_rule","'This query detects batches of distinct SQL queries that execute (or attempt to) commands that could indicate potential security issues - such as attempts to access external sites or resources (e.g. for downloading malicious content).'","Detection-HotwordsOutgoingStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","CommandAndControl","T1105,T1071","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsHotwordAnomalyOnStatement == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "2a632013-379d-4993-956f-615063d31e10","Affected rows stateful anomaly on database","analytic_rule","'Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThre","Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","Impact","T1485,T1565,T1491","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsVolumeAnomalyOnVal == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"9851c360-5fd5-4bae-a117-b66d8476bf5e","Response rows stateful anomaly on database","analytic_rule","'Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (highe","Detection-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","Exfiltration","T1537,T1567","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsVolumeAnomalyOnVal == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"724c7010-0afe-4d46-95ab-32f6737e658b","Anomalous Query Execution Time","hunting_query","'This hunting query will detect SQL queries that have affected an unusual number of rows for the given user and application combination. It will calculate the prevalence for each row count impacted to find instances where a large number of rows is anomalously affected. This hunting query is designed to detect SQL mass-deletion and mass-read events.'","HuntingQuery-AffectedRowAnomaly.yaml","","","","","","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"9851c360-5fd5-4bae-a117-b66d8476bf5e","Response rows stateful anomaly on database","analytic_rule","'Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (highe","Detection-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml","","","Medium","Available","Scheduled","Collection","T1213.006","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsVolumeAnomalyOnVal == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"724c7010-0afe-4d46-95ab-32f6737e658b","Anomalous Query Execution Time","hunting_query","'This hunting query will detect SQL queries that have affected an unusual number of rows for the given user and application combination. It will calculate the prevalence for each row count impacted to find instances where a large number of rows is anomalously affected. This hunting query is designed to detect SQL mass-deletion and mass-read events.'","HuntingQuery-AffectedRowAnomaly.yaml","","","","","","Impact","T1565.001,T1485","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "4cda0673-37f9-4765-af1f-556de2295cd7","Boolean Blind SQL Injection","hunting_query","'This hunting query will detect instances where a balanced boolean query, e.g. ""true=true"", is observed in an SQL query sent to the server. Balanced boolean queries are commonly used by attackers to test of SQL injections vulnerabilities'","HuntingQuery-BooleanBlindSQLi.yaml","","","","","","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "af55d5b0-6b4a-4874-8299-9d845bf7c1fd","Anomalous Query Execution Time","hunting_query","'This hunting query will detect SQL queries that took an unusually long period of time to execute based on a calculated average execution time. The query groups based on the application and the username, making this query suitable for detecting exploitation of web applications, or other SQL backed applications with predictable behaviour.'","HuntingQuery-ExecutionTimeAnomaly.yaml","","","","","","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "2a21303e-be48-404f-a6f6-883a6acfe5ad","Prevalence Based SQL Query Size Anomaly","hunting_query","'Applications using SQL will generally make repeated similar requests for data as users interact with the application, this hunting query will find instances where an unusual number of tokens have been seen grouped on the client application and username. The query will calculate the prevalence for the token sizes based on historical activity from grouped application and user and show instances where an unusual number of tokens were observed. This query is designed to be run against application a","HuntingQuery-PrevalenceBasedQuerySizeAnomaly.yaml","","","","","","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38","Suspicious SQL Stored Procedures","hunting_query","'This hunting query will detect SQL queries where suspicious stored procedures are called. Suspicious procedures included in the query are based on data seen by the MSTIC Deception honeypot.'","HuntingQuery-SuspiciousStoredProcedures.yaml","","","","","","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category =~ ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38","Suspicious SQL Stored Procedures","hunting_query","'This hunting query will detect SQL queries where suspicious stored procedures are called. Suspicious procedures included in the query are based on data seen by the MSTIC Deception honeypot.'","HuntingQuery-SuspiciousStoredProcedures.yaml","","","","","","Execution","T1505.001,T1059.003","AzureSql","has_query","","","AzureDiagnostics.Category =~ ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "e0944dec-3c92-4b2d-8e81-a950afeaba69","Time Based SQL Query Size Anomaly","hunting_query","'This hunting query uses series decompose anomaly to identify periods of time where a given user account and application combination is used to send an anomalous number of parameters or SQL query tokens to the server. This query is designed to be run against application and username combinations that are used by SQL applications, such as content management systems (Wordpress, Joomla, TYPO3, etc.).'","HuntingQuery-TimeBasedQuerySizeAnomaly.yaml","","","","","","InitialAccess","T1190","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "9670ac84-e035-47f5-8eb5-9d863a8a7893","Affected rows stateful anomaly on database - hunting query","hunting_query","'Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. This is a hunting query, so the training and the detection occur on the whole time window (controlled by 'queryPeriod' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).'","HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase.yaml","","","Medium","","","Impact","T1485,T1565,T1491","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsVolumeAnomalyOnVal == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" -"137tyi7c-7225-434b-8bfc-fea28v95ebd8","Response rows stateful anomaly on database - hunting query","hunting_query","'Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. This is a hunting query, so the training and the detection occur on the whole time window (controlled by 'queryPeriod' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).'","HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml","","","Medium","","","Exfiltration","T1537,T1567","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsVolumeAnomalyOnVal == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" +"137tyi7c-7225-434b-8bfc-fea28v95ebd8","Response rows stateful anomaly on database - hunting query","hunting_query","'Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database. This is a hunting query, so the training and the detection occur on the whole time window (controlled by 'queryPeriod' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).'","HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase.yaml","","","Medium","","","Collection","T1213.006","AzureSql","has_query","","","AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | _Computed.IsVolumeAnomalyOnVal == ""true""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "","Workbook-AzureSQLSecurity","workbook","","Workbook-AzureSQLSecurity.json","","","","","","","","","has_query","","","AzureActivity.ActivityStatusValue == ""Succeeded"" | AzureActivity.Caller has ""@"" | AzureDiagnostics.Category == ""SQLSecurityAuditEvents"" | AzureDiagnostics.ResourceType == ""SERVERS/DATABASES"" | SecurityAlert.AlertType startswith ""SQL."" | SecurityAlert.AlertType startswith ""SQl."" | _Computed.Entities has ""MICROSOFT.SQL"" | _Computed.Statement contains ""curl"" | _Computed.Statement contains ""drop database"" | _Computed.Statement contains ""drop table"" | _Computed.Statement contains ""ftp:"" | _Computed.Statement contains ""http:"" | _Computed.Statement contains ""https:"" | _Computed.Statement contains ""msdb exec"" | _Computed.Statement contains ""powershell"" | _Computed.Statement contains ""ps.exe"" | _Computed.Statement contains ""sys.dm_os"" | _Computed.Statement contains ""xp_"" | _Computed.f in ""All,Drop,Execution,OS,Outward,Statement"" | _Computed.indicator == ""1"" | _Computed.isSuccess in ""false,true"" | _Computed.q in ""Egress,Events,Failures,Ingress,Successes""","","","Solution","","","","","false","Azure SQL Database solution for sentinel","Azure SQL Database solution for sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel","true" "16da3a2a-af29-48a0-8606-d467c180fe18","Front Door Premium WAF - SQLi Detection","analytic_rule","'Identifies a match for a SQL Injection attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/Top10/A03_2021-Injection/'","AFD-Premium-WAF-SQLiDetection.yaml","","","High","Available","Scheduled","DefenseEvasion,Execution,InitialAccess,PrivilegeEscalation","T1211,T1059,T1190,T0890","WAF","has_query","","","AzureDiagnostics.Category =~ ""FrontDoorWebApplicationFirewallLog"" | AzureDiagnostics.action_s in~ ""AnomalyScoring,Block""","","","Solution","","","","","false","Azure Web Application Firewall (WAF)","Azure Web Application Firewall (WAF)","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Web%20Application%20Firewall%20%28WAF%29","true" "b7643904-5081-4920-917e-a559ddc3448f","Front Door Premium WAF - XSS Detection","analytic_rule","'Identifies a match for an XSS attack in the Front Door Premium WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements. References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)'","AFD-Premium-WAF-XSSDetection.yaml","","","High","Available","Scheduled","InitialAccess,Execution","T1189,T1203,T0853","WAF","has_query","","","AzureDiagnostics.Category =~ ""FrontDoorWebApplicationFirewallLog"" | AzureDiagnostics.action_s in~ ""AnomalyScoring,Block""","","","Solution","","","","","false","Azure Web Application Firewall (WAF)","Azure Web Application Firewall (WAF)","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Web%20Application%20Firewall%20%28WAF%29","true" @@ -503,7 +508,7 @@ "800ae9c9-0280-4296-821f-c6e0a473fb41","Azure DevOps- Public project enabled by admin","hunting_query","'This hunting query identifies Azure DevOps activities where organization public projects policy enabled by the admin'","Public Projects enabled.yaml","","","","","","Persistence,DefenseEvasion","T1098,T1562","AzureMonitor","has_query","","","","","","Solution","","","","","false","AzureDevOpsAuditing","AzureDevOpsAuditing","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing","true" "dea70aa0-cd14-4e7f-bac4-a73d9d57eae1","ADOAuditLogs","parser","","ADOAuditLogs.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","AzureDevOpsAuditing","AzureDevOpsAuditing","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing","true" "0610e72f-ceaf-42d1-879e-952a1bd8d07a","Azure Security Benchmark Posture Changed","analytic_rule","This rule monitors Azure policies aligned with the Azure Security Benchmark regulatory compliance initiative and triggers when policy compliance falls below 70% within a 7-day time window.","AzureSecurityBenchmarkPostureChanged.yaml","","","Medium","","Scheduled","Discovery","T1082","AzureSecurityCenter","has_query","","","SecurityRecommendation.RecommendationState in ""Healthy,Unhealthy""","","","Solution","","","","","false","AzureSecurityBenchmark","AzureSecurityBenchmark","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark","true" -"","AzureSecurityBenchmark","workbook","","AzureSecurityBenchmark.json","","","","","","","","","has_query","","","AzureActivity.ActivityStatusValue in ""Succeeded,Success"" | AzureActivity.OperationName in ""Add member to role,Add user,AzureFirewallIDSLog,NetworkSecurityGroupEvents,Reset user password,Update user"" | AzureActivity.OperationName contains ""PIM"" | AzureActivity.OperationName contains ""create"" | AzureActivity.OperationName contains ""delete"" | AzureActivity.OperationName contains ""lockbox"" | AzureActivity.OperationName contains ""remove"" | AzureActivity.OperationName contains ""update"" | AzureActivity.OperationNameValue contains ""recovery"" | AzureActivity.OperationNameValue startswith ""Microsoft.KeyVault"" | AzureActivity.OperationNameValue startswith ""Microsoft.Logic"" | AzureDiagnostics.Category in ""All,AzureFirewallNetworkRule,NetworkSecurityGroupRuleCounter"" | AzureDiagnostics.ResourceProvider == ""MICROSOFT.KEYVAULT"" | AzureDiagnostics.ResourceType == ""AZUREFIREWALLS"" | AzureDiagnostics.msg_s !has "". Rule Collection:"" | AzureDiagnostics.msg_s !has ""DNAT"" | AzureDiagnostics.msg_s !has ""Policy:"" | AzureDiagnostics.msg_s !has ""Rule Collection:"" | AzureDiagnostics.msg_s !has ""Type="" | AzureDiagnostics.msg_s has "". Rule Collection:"" | AzureDiagnostics.msg_s has ""DNAT"" | AzureDiagnostics.msg_s has ""Policy:"" | AzureDiagnostics.msg_s has ""Rule Collection:"" | AzureDiagnostics.msg_s has ""Type="" | SecurityAlert.AlertName contains ""auth"" | SecurityAlert.AlertName contains ""cert"" | SecurityAlert.AlertName contains ""cred"" | SecurityAlert.AlertName contains ""password"" | SecurityAlert.AlertName contains ""secret"" | SecurityAlert.ProviderName == ""IPC"" | SecurityBaseline.AnalyzeResult in ""Failed,Passed"" | SecurityEvent.Account !contains ""ANONYMOUS LOGON"" | SecurityEvent.AuthenticationPackageName == ""NTLM"" | SecurityEvent.EventID in ""2889,3000,4624,4768,4769,4776"" | SecurityEvent.LmPackageName == ""NTLM V1"" | SecurityEvent.PackageName contains ""WDigest"" | _Computed.Connection has ""managedApis/azuresentinel"" | _Computed.FailureReason contains ""User did not pass the MFA"" | _Computed.RecommendationName contains ""Auth"" | _Computed.RecommendationName contains ""JIT"" | _Computed.RecommendationName contains ""TLS"" | _Computed.RecommendationName contains ""access"" | _Computed.RecommendationName contains ""aks"" | _Computed.RecommendationName contains ""contain"" | _Computed.RecommendationName contains ""defender for servers"" | _Computed.RecommendationName contains ""endpoint protection"" | _Computed.RecommendationName contains ""kube"" | _Computed.RecommendationName contains ""virus"" | _Computed.Tactics == ""exfiltration"" | _Computed.Tactics contains ""access"" | _Computed.Tactics contains ""elevate"" | _Computed.assessmentKey == ""1195afff-c881-495e-9bc5-1486211ae03f"" | _Computed.complianceStandardId == ""Microsoft cloud security benchmark"" | _Computed.complianceState in ""Failed,Passed"" | _Computed.resourceSource in~ ""aws,gcp"" | _Computed.state in ""Healthy,Unhealthy"" | _Computed.type in~ ""Microsoft.KeyVault/vaults,microsoft.network/serviceendpointpolicies,microsoft.sql/servers,microsoft.sql/servers/databases,microsoft.synapse/workspaces/sqlpools"" | _Computed.type !~ ""dynatrace.observability/monitors"" | _Computed.type !~ ""microsoft.agfoodplatform/farmbeats"" | _Computed.type !~ ""microsoft.azurepercept/accounts"" | _Computed.type !~ ""microsoft.azurestack/registrations"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints/routes"" | _Computed.type !~ ""microsoft.cdn/profiles/customdomains"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups/origins"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets/rules"" | _Computed.type !~ ""microsoft.cdn/profiles/secrets"" | _Computed.type !~ ""microsoft.cdn/profiles/securitypolicies"" | _Computed.type !~ ""microsoft.communication/emailservices"" | _Computed.type !~ ""microsoft.connectedvmwarevsphere/vcenters"" | _Computed.type !~ ""microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.datacollaboration/workspaces"" | _Computed.type !~ ""microsoft.datareplication/replicationvaults"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters/sessionclusters"" | _Computed.type !~ ""microsoft.hpcworkbench/instances"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/assets"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/executionplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/testplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/tests"" | _Computed.type !~ ""microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/services"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/sites"" | _Computed.type !~ ""microsoft.mobilenetwork/packetcorecontrolplanes"" | _Computed.type !~ ""microsoft.mobilenetwork/sims"" | _Computed.type !~ ""microsoft.network/dnsforwardingrulesets"" | _Computed.type !~ ""microsoft.network/dnsresolvers"" | _Computed.type !~ ""microsoft.openlogisticsplatform/workspaces"" | _Computed.type !~ ""microsoft.orbital/contactprofiles"" | _Computed.type !~ ""microsoft.orbital/edgesites"" | _Computed.type !~ ""microsoft.orbital/groundstations"" | _Computed.type !~ ""microsoft.orbital/l2connections"" | _Computed.type !~ ""microsoft.orbital/spacecrafts"" | _Computed.type !~ ""microsoft.orbital/spacecrafts/contacts"" | _Computed.type !~ ""microsoft.playfab/playeraccountpools"" | _Computed.type !~ ""microsoft.playfab/playfabresources"" | _Computed.type !~ ""microsoft.playfab/titles"" | _Computed.type !~ ""microsoft.portal/extensions"" | _Computed.type !~ ""microsoft.portal/extensions/deployments"" | _Computed.type !~ ""microsoft.portal/extensions/slots"" | _Computed.type !~ ""microsoft.portal/extensions/versions"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/modeling"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/serviceendpoints"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd2/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd2/vaults"" | _Computed.type !~ ""microsoft.scom/managedinstances"" | _Computed.type !~ ""microsoft.scvmm/vmmservers"" | _Computed.type !~ ""microsoft.storagecache/amlfilesystems"" | _Computed.type !~ ""microsoft.workloads/monitors"" | _Computed.type !~ ""microsoft.workloads/phpworkloads"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/applicationinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/centralinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/databaseinstances"" | _Computed.type !~ ""nginx.nginxplus/nginxdeployments"" | _Im_NetworkSession.DstPortNumber == ""123"" | _Im_NetworkSession.NetworkDirection == ""outbound"" | _Im_NetworkSession.NetworkProtocol == ""UDP"" | _Im_NetworkSession.Type in ""microsoft.logic/workflows,microsoft.security/assessments,microsoft.security/assessments/subassessments,microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols,microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments"" | _Im_NetworkSession.Type =~ ""microsoft.operationalinsights/workspaces"" | _Im_NetworkSession.Type !contains ""web"" | _Im_NetworkSession.Type contains ""dns"" | _Im_NetworkSession.Type contains ""dos"" | _Im_NetworkSession.Type contains ""express"" | _Im_NetworkSession.Type contains ""firewall"" | _Im_NetworkSession.Type contains ""gateway"" | _Im_NetworkSession.Type contains ""microsoft"" | _Im_NetworkSession.Type contains ""microsoft.network"" | _Im_NetworkSession.Type contains ""network"" | _Im_NetworkSession.Type contains ""peer"" | _Im_NetworkSession.Type contains ""private"" | _Im_NetworkSession.Type contains ""recovery"" | _Im_NetworkSession.Type contains ""securitygroups"" | _Im_NetworkSession.Type contains ""webapplicationfirewall""","","","Solution","","","","","false","AzureSecurityBenchmark","AzureSecurityBenchmark","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark","true" +"","AzureSecurityBenchmark","workbook","","AzureSecurityBenchmark.json","","","","","","","","","has_query","","","AuditLogs.OperationName in ""Add member to role,Add user,AzureFirewallIDSLog,NetworkSecurityGroupEvents,Reset user password,Update user"" | AuditLogs.OperationName contains ""PIM"" | AuditLogs.OperationName contains ""create"" | AuditLogs.OperationName contains ""delete"" | AuditLogs.OperationName contains ""lockbox"" | AuditLogs.OperationName contains ""remove"" | AuditLogs.OperationName contains ""update"" | AzureActivity.ActivityStatusValue in ""Succeeded,Success"" | AzureActivity.OperationNameValue contains ""recovery"" | AzureActivity.OperationNameValue startswith ""Microsoft.KeyVault"" | AzureActivity.OperationNameValue startswith ""Microsoft.Logic"" | AzureDiagnostics.Category in ""All,AzureFirewallNetworkRule,NetworkSecurityGroupRuleCounter"" | AzureDiagnostics.ResourceProvider == ""MICROSOFT.KEYVAULT"" | AzureDiagnostics.ResourceType == ""AZUREFIREWALLS"" | AzureDiagnostics.msg_s !has "". Rule Collection:"" | AzureDiagnostics.msg_s !has ""DNAT"" | AzureDiagnostics.msg_s !has ""Policy:"" | AzureDiagnostics.msg_s !has ""Rule Collection:"" | AzureDiagnostics.msg_s !has ""Type="" | AzureDiagnostics.msg_s has "". Rule Collection:"" | AzureDiagnostics.msg_s has ""DNAT"" | AzureDiagnostics.msg_s has ""Policy:"" | AzureDiagnostics.msg_s has ""Rule Collection:"" | AzureDiagnostics.msg_s has ""Type="" | SecurityAlert.AlertName contains ""auth"" | SecurityAlert.AlertName contains ""cert"" | SecurityAlert.AlertName contains ""cred"" | SecurityAlert.AlertName contains ""password"" | SecurityAlert.AlertName contains ""secret"" | SecurityAlert.ProviderName == ""IPC"" | SecurityBaseline.AnalyzeResult in ""Failed,Passed"" | SecurityEvent.Account !contains ""ANONYMOUS LOGON"" | SecurityEvent.AuthenticationPackageName == ""NTLM"" | SecurityEvent.EventID in ""2889,3000,4624,4768,4769,4776"" | SecurityEvent.LmPackageName == ""NTLM V1"" | SecurityEvent.PackageName contains ""WDigest"" | _Computed.Connection has ""managedApis/azuresentinel"" | _Computed.FailureReason contains ""User did not pass the MFA"" | _Computed.Tactics == ""exfiltration"" | _Computed.Tactics contains ""access"" | _Computed.Tactics contains ""elevate"" | _Computed.assessmentKey == ""1195afff-c881-495e-9bc5-1486211ae03f"" | _Computed.complianceStandardId == ""Microsoft cloud security benchmark"" | _Computed.complianceState in ""Failed,Passed"" | _Computed.recommendationName contains ""Auth"" | _Computed.recommendationName contains ""JIT"" | _Computed.recommendationName contains ""TLS"" | _Computed.recommendationName contains ""access"" | _Computed.recommendationName contains ""aks"" | _Computed.recommendationName contains ""contain"" | _Computed.recommendationName contains ""defender for servers"" | _Computed.recommendationName contains ""endpoint protection"" | _Computed.recommendationName contains ""kube"" | _Computed.recommendationName contains ""virus"" | _Computed.resourceSource in~ ""aws,gcp"" | _Computed.state in ""Healthy,Unhealthy"" | _Computed.type in~ ""Microsoft.KeyVault/vaults,microsoft.network/serviceendpointpolicies,microsoft.sql/servers,microsoft.sql/servers/databases,microsoft.synapse/workspaces/sqlpools"" | _Computed.type !~ ""dynatrace.observability/monitors"" | _Computed.type !~ ""microsoft.agfoodplatform/farmbeats"" | _Computed.type !~ ""microsoft.azurepercept/accounts"" | _Computed.type !~ ""microsoft.azurestack/registrations"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints/routes"" | _Computed.type !~ ""microsoft.cdn/profiles/customdomains"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups/origins"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets/rules"" | _Computed.type !~ ""microsoft.cdn/profiles/secrets"" | _Computed.type !~ ""microsoft.cdn/profiles/securitypolicies"" | _Computed.type !~ ""microsoft.communication/emailservices"" | _Computed.type !~ ""microsoft.connectedvmwarevsphere/vcenters"" | _Computed.type !~ ""microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.datacollaboration/workspaces"" | _Computed.type !~ ""microsoft.datareplication/replicationvaults"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters/sessionclusters"" | _Computed.type !~ ""microsoft.hpcworkbench/instances"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/assets"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/executionplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/testplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/tests"" | _Computed.type !~ ""microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/services"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/sites"" | _Computed.type !~ ""microsoft.mobilenetwork/packetcorecontrolplanes"" | _Computed.type !~ ""microsoft.mobilenetwork/sims"" | _Computed.type !~ ""microsoft.network/dnsforwardingrulesets"" | _Computed.type !~ ""microsoft.network/dnsresolvers"" | _Computed.type !~ ""microsoft.openlogisticsplatform/workspaces"" | _Computed.type !~ ""microsoft.orbital/contactprofiles"" | _Computed.type !~ ""microsoft.orbital/edgesites"" | _Computed.type !~ ""microsoft.orbital/groundstations"" | _Computed.type !~ ""microsoft.orbital/l2connections"" | _Computed.type !~ ""microsoft.orbital/spacecrafts"" | _Computed.type !~ ""microsoft.orbital/spacecrafts/contacts"" | _Computed.type !~ ""microsoft.playfab/playeraccountpools"" | _Computed.type !~ ""microsoft.playfab/playfabresources"" | _Computed.type !~ ""microsoft.playfab/titles"" | _Computed.type !~ ""microsoft.portal/extensions"" | _Computed.type !~ ""microsoft.portal/extensions/deployments"" | _Computed.type !~ ""microsoft.portal/extensions/slots"" | _Computed.type !~ ""microsoft.portal/extensions/versions"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/modeling"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/serviceendpoints"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd2/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd2/vaults"" | _Computed.type !~ ""microsoft.scom/managedinstances"" | _Computed.type !~ ""microsoft.scvmm/vmmservers"" | _Computed.type !~ ""microsoft.storagecache/amlfilesystems"" | _Computed.type !~ ""microsoft.workloads/monitors"" | _Computed.type !~ ""microsoft.workloads/phpworkloads"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/applicationinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/centralinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/databaseinstances"" | _Computed.type !~ ""nginx.nginxplus/nginxdeployments"" | _Im_NetworkSession.DstPortNumber == ""123"" | _Im_NetworkSession.NetworkDirection == ""outbound"" | _Im_NetworkSession.NetworkProtocol == ""UDP"" | _Im_NetworkSession.Type in ""microsoft.logic/workflows,microsoft.security/assessments,microsoft.security/assessments/subassessments,microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols,microsoft.security/regulatorycompliancestandards/regulatorycompliancecontrols/regulatorycomplianceassessments"" | _Im_NetworkSession.Type =~ ""microsoft.operationalinsights/workspaces"" | _Im_NetworkSession.Type !contains ""web"" | _Im_NetworkSession.Type contains ""dns"" | _Im_NetworkSession.Type contains ""dos"" | _Im_NetworkSession.Type contains ""express"" | _Im_NetworkSession.Type contains ""firewall"" | _Im_NetworkSession.Type contains ""gateway"" | _Im_NetworkSession.Type contains ""microsoft"" | _Im_NetworkSession.Type contains ""microsoft.network"" | _Im_NetworkSession.Type contains ""network"" | _Im_NetworkSession.Type contains ""peer"" | _Im_NetworkSession.Type contains ""private"" | _Im_NetworkSession.Type contains ""recovery"" | _Im_NetworkSession.Type contains ""securitygroups"" | _Im_NetworkSession.Type contains ""webapplicationfirewall""","","","Solution","","","","","false","AzureSecurityBenchmark","AzureSecurityBenchmark","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark","true" "","Notify-GovernanceComplianceTeam","playbook","This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the governance compliance team of respective details via Teams chat and exchange email. This automation reduces requirements to manually monitor the workbook or analytics rules while increasing response times.","Notify_GovernanceComplianceTeam-SecurityBenchmark/Notify_GovernanceComplianceTeam.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","AzureSecurityBenchmark","AzureSecurityBenchmark","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark","true" "","Create-AzureDevOpsTask","playbook","This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.","Open_DevOpsTaskRecommendation-ASB/Open_DevOpsTaskRecommendation-ASB.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","AzureSecurityBenchmark","AzureSecurityBenchmark","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark","true" "","Create Jira Issue","playbook","This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.","Open_JIRATicketRecommendation-ASB/Open_JIRATicketRecommendation-ASB.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","AzureSecurityBenchmark","AzureSecurityBenchmark","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureSecurityBenchmark","true" @@ -562,114 +567,114 @@ "e261b70a-3005-4a1b-a7a2-2c8147fafed7","blacklens Insights","analytic_rule","'Creates incidents from blacklens.io Attack Surface Management alerts ingested into the blacklens_CL table. Alert severity is mapped dynamically from the source data.'","blacklensInsights.yaml","","","High","Available","NRT","Reconnaissance,ResourceDevelopment,InitialAccess,CredentialAccess,Collection,Exfiltration,DefenseEvasion,CommandAndControl","T1595,T1583,T1190,T1110,T1005,T1041,T1562,T1071","blacklens_io","has_query","","","","","","Solution","","","","","false","Blacklens","Blacklens","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Blacklens","true" "","Retrieve Alert from Microsoft Sentinel and Trigger a Blink Workflow via Webhook","playbook","Send a webhook request to a Blink workflow trigger whenever a new alert is created in Microsoft Sentinel","Sentinel-Alert-Handler/azuredeploy.json","Sentinel-Alert-Handler/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","BlinkOps","BlinkOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BlinkOps","true" "","Retrieve Incident from Microsoft Sentinel and Trigger a Blink Workflow via Webhook","playbook","Send a webhook request to a Blink workflow trigger whenever a new Incident is created in Microsoft Sentinel","Sentinel-Incident-Handler/azuredeploy.json","Sentinel-Incident-Handler/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","BlinkOps","BlinkOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BlinkOps","true" -"34099af9-e79a-4d5a-a50c-c5e51f5bb965","BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects","AddKeyCredentialLinkPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"17c3d3b1-42f1-4bbd-bcbd-6ab7621448c9","BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups","analytic_rule","BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups","AddMemberPrivilegesOnTierZeroSecurityGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"357d3dee-3b61-4de9-9084-fb245ba23d81","BloodHound Attack Path Finding - Add Members to Tier Zero Group","analytic_rule","BloodHound Attack Path Finding - Add Members to Tier Zero Group","AddMembersToTierZeroGroup.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"3d6fa984-a989-4742-bcc2-099d2a995ef7","BloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource","AddownerRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"58c70f97-543b-4116-8624-12ee7ad8a13d","BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role","analytic_rule","BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role","AddOwnerToTierZeroObjectViaMsGraphAppRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"01ee9ec6-ca69-478d-8830-8fa598ae73d9","BloodHound Attack Path Finding - Add Secret to Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - Add Secret to Tier Zero Principal","AddSecretToTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"f2e24dac-37a2-493d-a8d7-5b7f6bea438c","BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups","analytic_rule","BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups","AddselfPrivilegeOnTierZeroSecurityGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"b0b747f2-938a-4f13-b7d1-9def60a719bd","BloodHound Attack Path Finding - Admins on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - Admins on Tier Zero Computers","AdminsOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"77d9d959-e899-4a43-a376-d2e4059ca8f4","BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster","analytic_rule","BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster","AksContributorRoleOnTierZeroManagedCluster.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"234ba956-2361-4db2-a9d4-c4c89fb2ed55","BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects","AllextendedPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"ba785c29-37f7-469b-b437-495bfdf136eb","BloodHound Attack Path Finding - App Admin Control of Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - App Admin Control of Tier Zero Principal","AppAdminControlOfTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"9bd607bf-a64c-4917-913e-e9a33f4ea28e","BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine","analytic_rule","BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine","AvereContributorRoleOnTierZeroVirtualMachine.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"a50a328d-a14d-4599-a4e4-32de5b7fe0c7","BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges","BasedConstrainedDelegationPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"ca509c4b-d30f-4bad-b59c-4d0ddd0fc822","BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers","BasedConstrainedDelegationPrivilegesOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"28b86df8-daa1-4b94-939b-903c24d8196d","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack","analytic_rule","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack","BasedNtlmRelayToAdcs(esc8)Attack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"1bc4eeaa-08d8-47b6-85ab-bbea5a062282","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack","analytic_rule","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack","BasedNtlmRelayToLdapAttack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"37a04fa0-b13c-43d9-a6a0-f34229ebf8f4","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack","analytic_rule","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack","BasedNtlmRelayToLdapsAttack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"e9ef6adb-6fa3-49ff-b105-c4cbd4f37808","BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack","analytic_rule","BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack","BasedNtlmRelayToSmbAttack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"39984923-f74a-45ea-b321-b1dd45ba04e2","BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal","CloudAppAdminOverTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"bdfa4b55-e385-4035-8af8-ea77df4a81c3","BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine","analytic_rule","BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine","CommandExecutionOnTierZeroVirtualMachine.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"7b2cc2d2-052f-4ac9-9be0-fb6f22cbca33","BloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers","ConstrainedDelegationOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"04a117f0-ff6e-464b-984d-119e33fb0dd5","BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account","analytic_rule","BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account","ContributorRoleOnTierZeroAutomationAccount.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"36191460-f26a-4c4e-8492-71e6049e6bbb","BloodHound Attack Path Finding - Contributor Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Contributor Role on Tier Zero Resource","ContributorRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"c322a41b-c759-4aca-ac9a-25b00791c397","BloodHound Attack Path Finding - DCOM Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - DCOM Users on Tier Zero Computers","DcomUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"e426256f-eb14-4b05-9aad-f630944e7012","BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects","ForcechangepasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"5ae4f7e1-b14c-45fe-8d38-f409e148c1da","BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects","GenericallPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"20d7a85c-6af9-4471-a403-961445c0e49e","BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects","GenericwritePrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"21d458a0-b0d5-47bb-9fd1-fdda31f3b7f1","BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault","analytic_rule","BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault","GetCertifcatesOnTierZeroKeyVault.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"fbeabff4-fad7-4458-8098-c6426388cf3d","BloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault","analytic_rule","BloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault","GetKeysOnTierZeroKeyVault.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"cd3e607c-8ab4-4799-a27e-7ff63ae401af","BloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault","analytic_rule","BloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault","GetSecretsOnTierZeroKeyVault.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"008a74e7-ad90-4855-87e6-6bdb86eed127","BloodHound Attack Path Finding - Kerberoastable User Accounts","analytic_rule","BloodHound Attack Path Finding - Kerberoastable User Accounts","KerberoastableUserAccounts.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"2f770ce2-97cb-4afc-8dce-28114c3ad66e","BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects","KerberosDelegationOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"7b7347d2-3efb-47d9-a329-5b7ae4357d70","BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource","KeyVaultContributorRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"e3c95148-04b6-4165-b9a6-a107f8a119d9","BloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups","LargeDefaultGroupsInDcomUsersGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"141b9381-50fe-4beb-a91a-799da4f466fc","BloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups","LargeDefaultGroupsInLocalAdministratorGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"ac15bea7-c2c2-4f0f-b13c-2099f4d86f77","BloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups","LargeDefaultGroupsInPsRemoteUsersGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"000d4f86-fc35-4451-9b2b-2a660a95f715","BloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups","LargeDefaultGroupsInSqlAdminsGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"2f65df97-23a1-403b-93ea-6e478ee75c5a","BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges","LargeDefaultGroupsWithAddKeyCredentialLinkPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"36262b9d-fc92-47fb-8ec1-bda6e74e3d4e","BloodHound Attack Path Finding - Large Default Groups With Add Member Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Add Member Privileges","LargeDefaultGroupsWithAddMemberPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"6a9a4ef0-e08b-40ad-ad40-c88b6ab915ae","BloodHound Attack Path Finding - Large Default Groups With Add Self Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Add Self Privileges","LargeDefaultGroupsWithAddSelfPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"ab49f284-0b2a-42c9-b5e3-2c0fbf941d8e","BloodHound Attack Path Finding - Large Default Groups With All Extended Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With All Extended Privileges","LargeDefaultGroupsWithAllExtendedPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"b4f835f1-3ce1-4009-9dcd-816ba4107e9b","BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges","LargeDefaultGroupsWithForcechangepasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"54a6167c-f1a3-45a1-8fd0-6023dbda9446","BloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges","LargeDefaultGroupsWithGenericallPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"8193f4fc-383e-45b0-8ef5-15ef1eeae7e3","BloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges","LargeDefaultGroupsWithGenericwritePrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"12ecc3cf-a1db-4fa4-bcb2-605dd3a274e0","BloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges","LargeDefaultGroupsWithLimitedOwnershipPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"222e7627-fc25-4ffd-a312-5a27513800ea","BloodHound Attack Path Finding - Large Default Groups With Ownership Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Ownership Privileges","LargeDefaultGroupsWithOwnershipPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"f4776f0d-86b7-470a-993a-f3152bbb8917","BloodHound Attack Path Finding - Large Default Groups With RDP Access","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With RDP Access","LargeDefaultGroupsWithRdpAccess.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"86eda318-a551-438c-b72a-3db0ba6bc27e","BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges","LargeDefaultGroupsWithReadGmsaPasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"d6450ee2-2161-4d3c-96c9-674c3c44a791","BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges","LargeDefaultGroupsWithReadLapsPasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"506957d5-23e2-4d38-b047-2273c121831c","BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges","LargeDefaultGroupsWithWriteaccountrestrictionsPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"cfa3b93b-0203-4dd1-b784-c148af74e389","BloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege","LargeDefaultGroupsWithWritedaclPrivilege.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"660af442-45ec-4321-b6ce-ee39677f0472","BloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege","LargeDefaultGroupsWithWritegplinkPrivilege.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"b26a44aa-aec3-4cfe-aa75-e41104f97a9a","BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges","LargeDefaultGroupsWithWriteownerlimitedrightsPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"f2f15e17-c056-487b-ad96-13128c8a6024","BloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges","LargeDefaultGroupsWithWriteownerPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"8bbc3980-8b18-40c5-829e-d282afa52284","BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges","LargeDefaultGroupsWithWriteserviceprincipalnamePrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"af134cb3-a3e7-421c-bcef-0c6c6432a273","BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges","LargeDefaultGroupWithSynclapspasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"92914273-eb38-4a54-9c5d-03db8d24fba7","BloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects","LegacySidHistoryOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"a2150e6d-b75b-4440-9c7e-18e901fb0b13","BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects","LimitedOwnershipPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"25ffa891-4832-485d-9461-f8c90df1d3ff","BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App","analytic_rule","BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App","LogicAppContributorRoleOnTierZeroLogicApp.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"cf22c2f4-fdc6-465f-8d71-561af44bd475","BloodHound Attack Path Finding - Logons From Tier Zero Users","analytic_rule","BloodHound Attack Path Finding - Logons From Tier Zero Users","LogonsFromTierZeroUsers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"14adaa12-cad0-41ca-b848-f536723e4117","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges","NonTierZeroPrincipalsWithAdcsEsc10ScenarioAPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"82c9f9b1-2990-4d5c-a5f4-26e4e54c904c","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group","NonTierZeroPrincipalsWithAdcsEsc13PrivilegesAgainstTierZeroGroup.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"1eb72567-2785-44d0-81dd-6a2b08803cdf","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges","NonTierZeroPrincipalsWithAdcsEsc1Privileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"9fe3e89b-fd57-4df1-a6e7-8a875966dada","BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal","NonTierZeroResourceAssignedToTierZeroServicePrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"cc168d7f-59d1-4472-be98-854869e62907","BloodHound Attack Path Finding - Owner Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Owner Role on Tier Zero Resource","OwnerRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"d902d7c1-8a9c-469a-9899-7222214a0663","BloodHound Attack Path Finding - Ownership of Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - Ownership of Tier Zero Principal","OwnershipOfTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"4dcc4d52-947b-4680-89be-b08a71def3d4","BloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects","OwnershipPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"25ea90f3-89d6-417f-8e16-2e7fee38ccf6","BloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers","PsRemoteUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"0eefbca4-0dde-4e72-afaa-dbacc131d07a","BloodHound Attack Path Finding - RDP Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - RDP Users on Tier Zero Computers","RdpUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"d738e45b-472b-4d6b-a1a0-258c4fe9eb26","BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects","ReadGmsaPasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"1a7721b8-028f-47d2-a1aa-dbb307aefb27","BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects","ReadlapspasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"1f9610b1-f9e0-4da2-9600-12f07ba6f437","BloodHound Attack Path Finding - AS-REP Roastable User Accounts","analytic_rule","BloodHound Attack Path Finding - AS-REP Roastable User Accounts","RepRoastableUserAccounts.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"7874ea85-ec86-4519-9aa6-7b7d8c8c4a21","BloodHound Attack Path Finding - Reset a Tier Zero User's Password","analytic_rule","BloodHound Attack Path Finding - Reset a Tier Zero User's Password","ResetATierZeroUser_sPassword.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"b3c6f684-5fb3-451d-b1d9-fec8089c2503","BloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers","SqlAdminUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"31d40f68-8bc5-44f0-bf8c-c9c17d9ef1c8","BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects","SynclapspasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"8844495b-1d05-4080-9fc2-28621f744a4b","BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User","TierZeroAdUserSyncedToTierZeroEntraUser.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"221a122d-8e68-42c9-beaf-010fe184a88f","BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer","analytic_rule","BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer","TierZeroComputer.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"64ba60b8-67d4-4356-8b88-0dfbf98e454a","BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication","TierZeroComputerHostingEnterprisecaTrustedForNtAuthentication.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"94e4114f-acd5-48d9-8b5e-07d08b809541","BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User","TierZeroEntraUserSyncedToTierZeroAdUser.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"70e09635-9787-41af-9973-87d22ca15292","BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role","analytic_rule","BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role","TierZeroGroupControlViaMsGraphAppRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"8e1df707-a242-42ba-a0aa-68b61f1e620d","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles","TierZeroPrincipalCanGrantTierZeroAppRoles.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"146f6a92-d11a-4728-b66d-6d4dc359ff59","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role","TierZeroPrincipalCanGrantTierZeroEntraIdRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"d9fb446e-58a9-4788-afee-66a2b5391347","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges","TierZeroPrincipalsWithAdcsEsc10ScenarioBPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"e6c6fb5d-c2a4-4ff4-8c75-a66f37e1ecc0","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges","TierZeroPrincipalsWithAdcsEsc3Privileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"dcd1c727-2084-44d8-871c-a74ac0d8f091","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges","TierZeroPrincipalsWithAdcsEsc4Privileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"ca313efd-032c-4825-b687-86c50e92200f","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges","TierZeroPrincipalsWithAdcsEsc6ScenarioAPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"3050426c-56c0-4a20-9bb2-9d63d3c59484","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges","TierZeroPrincipalsWithAdcsEsc6ScenarioBPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"4f431f88-ada9-4a20-bbe5-fddc7add942e","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges","TierZeroPrincipalsWithAdcsEsc9ScenarioAPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"93a17e41-1504-4ef3-8a1e-7ad15a32ce98","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges","TierZeroPrincipalsWithAdcsEsc9ScenarioBPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"d6bf4db8-f2f3-4738-9051-bb892b268da3","BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges","TierZeroPrincipalsWithDcsyncPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"bc26d218-89a4-40ba-88b6-76e5141b5731","BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation","TierZeroPrincipalTrustedForUnconstrainedDelegation.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"d817dc53-1787-4b02-b8cf-d6254eec5ddb","BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role","analytic_rule","BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role","TierZeroServicePrincipalControlViaMsGraphAppRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"ccd94d43-3d74-4928-93bf-eb9bfe7924ca","BloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource","UserAccessAdminRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"f1334bfc-7cdd-4655-b8de-e1398158f4b5","BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System","analytic_rule","BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System","VmAdminLoginRoleOnTierZeroSystem.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"6356d718-5a61-4f74-b8a4-f93b0b721e9a","BloodHound Attack Path Finding - VM Contributor Role on Tier Zero System","analytic_rule","BloodHound Attack Path Finding - VM Contributor Role on Tier Zero System","VmContributorRoleOnTierZeroSystem.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"a1052a3e-d955-4a0b-9f96-179393e7741a","BloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource","WebsiteContributorRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"f1a667b2-91a8-4a9b-8d31-9a54bb5f0cd5","BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects","WriteAccountRestrictionsPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"c09d3a9d-47da-4bd8-a14d-ea51b447d75d","BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects","WritedaclPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"b64ee057-94a4-42a5-a769-430a2943f764","BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects","WritegplinkPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"645b0f09-f318-41c3-860d-6c0fb595af2b","BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects","WriteownerlimitedrightsPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"924e60be-38af-4a33-98d4-45f2b1643094","BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects","WriteownerPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"b58af025-1b74-436a-8517-b230864cbbb6","BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects","WriteserviceprincipalnamePrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"","BloodHoundEnterpriseAttackPathDetails","workbook","","BloodHoundEnterpriseAttackPathDetails.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"","BloodHoundEnterpriseAttackPathOverview","workbook","","BloodHoundEnterpriseAttackPathOverview.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"","BloodHoundEnterpriseAuditLogs","workbook","","BloodHoundEnterpriseAuditLogs.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"","BloodHoundEnterpriseTierZeroSearch","workbook","","BloodHoundEnterpriseTierZeroSearch.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"","BloodHoundFindingTrends","workbook","","BloodHoundFindingTrends.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" -"","BloodHoundPostureHistory","workbook","","BloodHoundPostureHistory.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","true" +"34099af9-e79a-4d5a-a50c-c5e51f5bb965","BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Add Key Credential Link Privileges on Tier Zero Objects","AddKeyCredentialLinkPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"17c3d3b1-42f1-4bbd-bcbd-6ab7621448c9","BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups","analytic_rule","BloodHound Attack Path Finding - Add Member Privileges on Tier Zero Security Groups","AddMemberPrivilegesOnTierZeroSecurityGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"357d3dee-3b61-4de9-9084-fb245ba23d81","BloodHound Attack Path Finding - Add Members to Tier Zero Group","analytic_rule","BloodHound Attack Path Finding - Add Members to Tier Zero Group","AddMembersToTierZeroGroup.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"3d6fa984-a989-4742-bcc2-099d2a995ef7","BloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - AddOwner Role on Tier Zero Resource","AddownerRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"58c70f97-543b-4116-8624-12ee7ad8a13d","BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role","analytic_rule","BloodHound Attack Path Finding - Add Owner to Tier Zero Object via MS Graph App Role","AddOwnerToTierZeroObjectViaMsGraphAppRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"01ee9ec6-ca69-478d-8830-8fa598ae73d9","BloodHound Attack Path Finding - Add Secret to Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - Add Secret to Tier Zero Principal","AddSecretToTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"f2e24dac-37a2-493d-a8d7-5b7f6bea438c","BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups","analytic_rule","BloodHound Attack Path Finding - AddSelf Privilege on Tier Zero Security Groups","AddselfPrivilegeOnTierZeroSecurityGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"b0b747f2-938a-4f13-b7d1-9def60a719bd","BloodHound Attack Path Finding - Admins on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - Admins on Tier Zero Computers","AdminsOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"77d9d959-e899-4a43-a376-d2e4059ca8f4","BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster","analytic_rule","BloodHound Attack Path Finding - AKS Contributor Role on Tier Zero Managed Cluster","AksContributorRoleOnTierZeroManagedCluster.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"234ba956-2361-4db2-a9d4-c4c89fb2ed55","BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - AllExtended Privileges on Tier Zero Objects","AllextendedPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"ba785c29-37f7-469b-b437-495bfdf136eb","BloodHound Attack Path Finding - App Admin Control of Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - App Admin Control of Tier Zero Principal","AppAdminControlOfTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"9bd607bf-a64c-4917-913e-e9a33f4ea28e","BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine","analytic_rule","BloodHound Attack Path Finding - Avere Contributor Role on Tier Zero Virtual Machine","AvereContributorRoleOnTierZeroVirtualMachine.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"a50a328d-a14d-4599-a4e4-32de5b7fe0c7","BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Resource-Based Constrained Delegation Privileges","BasedConstrainedDelegationPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"ca509c4b-d30f-4bad-b59c-4d0ddd0fc822","BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - Add Resource-Based Constrained Delegation Privileges on Tier Zero Computers","BasedConstrainedDelegationPrivilegesOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"28b86df8-daa1-4b94-939b-903c24d8196d","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack","analytic_rule","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to ADCS (ESC8) Attack","BasedNtlmRelayToAdcs(esc8)Attack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"1bc4eeaa-08d8-47b6-85ab-bbea5a062282","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack","analytic_rule","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAP Attack","BasedNtlmRelayToLdapAttack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"37a04fa0-b13c-43d9-a6a0-f34229ebf8f4","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack","analytic_rule","BloodHound Attack Path Finding - Tier Zero Computer Vulnerable to Coercion-Based NTLM Relay to LDAPS Attack","BasedNtlmRelayToLdapsAttack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"e9ef6adb-6fa3-49ff-b105-c4cbd4f37808","BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack","analytic_rule","BloodHound Attack Path Finding - Computers Vulnerable to Coercion-Based NTLM Relay to SMB Attack","BasedNtlmRelayToSmbAttack.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"39984923-f74a-45ea-b321-b1dd45ba04e2","BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - Cloud App Admin Over Tier Zero Principal","CloudAppAdminOverTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"bdfa4b55-e385-4035-8af8-ea77df4a81c3","BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine","analytic_rule","BloodHound Attack Path Finding - Command Execution on Tier Zero Virtual Machine","CommandExecutionOnTierZeroVirtualMachine.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"7b2cc2d2-052f-4ac9-9be0-fb6f22cbca33","BloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - Constrained Delegation on Tier Zero Computers","ConstrainedDelegationOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"04a117f0-ff6e-464b-984d-119e33fb0dd5","BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account","analytic_rule","BloodHound Attack Path Finding - Contributor Role on Tier Zero Automation Account","ContributorRoleOnTierZeroAutomationAccount.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"36191460-f26a-4c4e-8492-71e6049e6bbb","BloodHound Attack Path Finding - Contributor Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Contributor Role on Tier Zero Resource","ContributorRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"c322a41b-c759-4aca-ac9a-25b00791c397","BloodHound Attack Path Finding - DCOM Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - DCOM Users on Tier Zero Computers","DcomUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"e426256f-eb14-4b05-9aad-f630944e7012","BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - ForceChangePassword Privileges on Tier Zero Objects","ForcechangepasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"5ae4f7e1-b14c-45fe-8d38-f409e148c1da","BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - GenericAll Privileges on Tier Zero Objects","GenericallPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"20d7a85c-6af9-4471-a403-961445c0e49e","BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - GenericWrite Privileges on Tier Zero Objects","GenericwritePrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"21d458a0-b0d5-47bb-9fd1-fdda31f3b7f1","BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault","analytic_rule","BloodHound Attack Path Finding - Get Certifcates on Tier Zero Key Vault","GetCertifcatesOnTierZeroKeyVault.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"fbeabff4-fad7-4458-8098-c6426388cf3d","BloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault","analytic_rule","BloodHound Attack Path Finding - Get Keys on Tier Zero Key Vault","GetKeysOnTierZeroKeyVault.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"cd3e607c-8ab4-4799-a27e-7ff63ae401af","BloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault","analytic_rule","BloodHound Attack Path Finding - Get Secrets on Tier Zero Key Vault","GetSecretsOnTierZeroKeyVault.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"008a74e7-ad90-4855-87e6-6bdb86eed127","BloodHound Attack Path Finding - Kerberoastable User Accounts","analytic_rule","BloodHound Attack Path Finding - Kerberoastable User Accounts","KerberoastableUserAccounts.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"2f770ce2-97cb-4afc-8dce-28114c3ad66e","BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Kerberos Delegation on Tier Zero Objects","KerberosDelegationOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"7b7347d2-3efb-47d9-a329-5b7ae4357d70","BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Key Vault Contributor Role on Tier Zero Resource","KeyVaultContributorRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"e3c95148-04b6-4165-b9a6-a107f8a119d9","BloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in DCOM Users Groups","LargeDefaultGroupsInDcomUsersGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"141b9381-50fe-4beb-a91a-799da4f466fc","BloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in Local Administrator Groups","LargeDefaultGroupsInLocalAdministratorGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"ac15bea7-c2c2-4f0f-b13c-2099f4d86f77","BloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in PS Remote Users Groups","LargeDefaultGroupsInPsRemoteUsersGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"000d4f86-fc35-4451-9b2b-2a660a95f715","BloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups","analytic_rule","BloodHound Attack Path Finding - Large Default Groups in SQL Admins Groups","LargeDefaultGroupsInSqlAdminsGroups.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"2f65df97-23a1-403b-93ea-6e478ee75c5a","BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Add Key Credential Link Privileges","LargeDefaultGroupsWithAddKeyCredentialLinkPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"36262b9d-fc92-47fb-8ec1-bda6e74e3d4e","BloodHound Attack Path Finding - Large Default Groups With Add Member Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Add Member Privileges","LargeDefaultGroupsWithAddMemberPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"6a9a4ef0-e08b-40ad-ad40-c88b6ab915ae","BloodHound Attack Path Finding - Large Default Groups With Add Self Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Add Self Privileges","LargeDefaultGroupsWithAddSelfPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"ab49f284-0b2a-42c9-b5e3-2c0fbf941d8e","BloodHound Attack Path Finding - Large Default Groups With All Extended Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With All Extended Privileges","LargeDefaultGroupsWithAllExtendedPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"b4f835f1-3ce1-4009-9dcd-816ba4107e9b","BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With ForceChangePassword Privileges","LargeDefaultGroupsWithForcechangepasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"54a6167c-f1a3-45a1-8fd0-6023dbda9446","BloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With GenericAll Privileges","LargeDefaultGroupsWithGenericallPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"8193f4fc-383e-45b0-8ef5-15ef1eeae7e3","BloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With GenericWrite Privileges","LargeDefaultGroupsWithGenericwritePrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"12ecc3cf-a1db-4fa4-bcb2-605dd3a274e0","BloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Limited Ownership Privileges","LargeDefaultGroupsWithLimitedOwnershipPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"222e7627-fc25-4ffd-a312-5a27513800ea","BloodHound Attack Path Finding - Large Default Groups With Ownership Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Ownership Privileges","LargeDefaultGroupsWithOwnershipPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"f4776f0d-86b7-470a-993a-f3152bbb8917","BloodHound Attack Path Finding - Large Default Groups With RDP Access","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With RDP Access","LargeDefaultGroupsWithRdpAccess.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"86eda318-a551-438c-b72a-3db0ba6bc27e","BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Read GMSA Password Privileges","LargeDefaultGroupsWithReadGmsaPasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"d6450ee2-2161-4d3c-96c9-674c3c44a791","BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With Read LAPS Password Privileges","LargeDefaultGroupsWithReadLapsPasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"506957d5-23e2-4d38-b047-2273c121831c","BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteAccountRestrictions Privileges","LargeDefaultGroupsWithWriteaccountrestrictionsPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"cfa3b93b-0203-4dd1-b784-c148af74e389","BloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteDacl Privilege","LargeDefaultGroupsWithWritedaclPrivilege.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"660af442-45ec-4321-b6ce-ee39677f0472","BloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteGpLink Privilege","LargeDefaultGroupsWithWritegplinkPrivilege.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"b26a44aa-aec3-4cfe-aa75-e41104f97a9a","BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteOwnerLimitedRights Privileges","LargeDefaultGroupsWithWriteownerlimitedrightsPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"f2f15e17-c056-487b-ad96-13128c8a6024","BloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteOwner Privileges","LargeDefaultGroupsWithWriteownerPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"8bbc3980-8b18-40c5-829e-d282afa52284","BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Groups With WriteServicePrincipalName Privileges","LargeDefaultGroupsWithWriteserviceprincipalnamePrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"af134cb3-a3e7-421c-bcef-0c6c6432a273","BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges","analytic_rule","BloodHound Attack Path Finding - Large Default Group With SyncLapsPassword Privileges","LargeDefaultGroupWithSynclapspasswordPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"92914273-eb38-4a54-9c5d-03db8d24fba7","BloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Legacy SID History on Tier Zero Objects","LegacySidHistoryOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"a2150e6d-b75b-4440-9c7e-18e901fb0b13","BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Limited Ownership Privileges on Tier Zero Objects","LimitedOwnershipPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"25ffa891-4832-485d-9461-f8c90df1d3ff","BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App","analytic_rule","BloodHound Attack Path Finding - Logic App Contributor Role on Tier Zero Logic App","LogicAppContributorRoleOnTierZeroLogicApp.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"cf22c2f4-fdc6-465f-8d71-561af44bd475","BloodHound Attack Path Finding - Logons From Tier Zero Users","analytic_rule","BloodHound Attack Path Finding - Logons From Tier Zero Users","LogonsFromTierZeroUsers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"14adaa12-cad0-41ca-b848-f536723e4117","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC10 Scenario A Privileges","NonTierZeroPrincipalsWithAdcsEsc10ScenarioAPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"82c9f9b1-2990-4d5c-a5f4-26e4e54c904c","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC13 Privileges Against Tier Zero Group","NonTierZeroPrincipalsWithAdcsEsc13PrivilegesAgainstTierZeroGroup.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"1eb72567-2785-44d0-81dd-6a2b08803cdf","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Principals With ADCS ESC1 Privileges","NonTierZeroPrincipalsWithAdcsEsc1Privileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"9fe3e89b-fd57-4df1-a6e7-8a875966dada","BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal","analytic_rule","BloodHound Attack Path Finding - Non Tier Zero Resource Assigned to Tier Zero Service Principal","NonTierZeroResourceAssignedToTierZeroServicePrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"cc168d7f-59d1-4472-be98-854869e62907","BloodHound Attack Path Finding - Owner Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Owner Role on Tier Zero Resource","OwnerRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"d902d7c1-8a9c-469a-9899-7222214a0663","BloodHound Attack Path Finding - Ownership of Tier Zero Principal","analytic_rule","BloodHound Attack Path Finding - Ownership of Tier Zero Principal","OwnershipOfTierZeroPrincipal.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"4dcc4d52-947b-4680-89be-b08a71def3d4","BloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Ownership Privileges on Tier Zero Objects","OwnershipPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"25ea90f3-89d6-417f-8e16-2e7fee38ccf6","BloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - PS Remote Users on Tier Zero Computers","PsRemoteUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"0eefbca4-0dde-4e72-afaa-dbacc131d07a","BloodHound Attack Path Finding - RDP Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - RDP Users on Tier Zero Computers","RdpUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"d738e45b-472b-4d6b-a1a0-258c4fe9eb26","BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Read GMSA Password Privileges on Tier Zero Objects","ReadGmsaPasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"1a7721b8-028f-47d2-a1aa-dbb307aefb27","BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - ReadLapsPassword Privileges on Tier Zero Objects","ReadlapspasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"1f9610b1-f9e0-4da2-9600-12f07ba6f437","BloodHound Attack Path Finding - AS-REP Roastable User Accounts","analytic_rule","BloodHound Attack Path Finding - AS-REP Roastable User Accounts","RepRoastableUserAccounts.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"7874ea85-ec86-4519-9aa6-7b7d8c8c4a21","BloodHound Attack Path Finding - Reset a Tier Zero User's Password","analytic_rule","BloodHound Attack Path Finding - Reset a Tier Zero User's Password","ResetATierZeroUser_sPassword.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"b3c6f684-5fb3-451d-b1d9-fec8089c2503","BloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers","analytic_rule","BloodHound Attack Path Finding - SQL Admin Users on Tier Zero Computers","SqlAdminUsersOnTierZeroComputers.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"31d40f68-8bc5-44f0-bf8c-c9c17d9ef1c8","BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - SyncLapsPassword Privileges on Tier Zero Objects","SynclapspasswordPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"8844495b-1d05-4080-9fc2-28621f744a4b","BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero AD User Synced to Tier Zero Entra User","TierZeroAdUserSyncedToTierZeroEntraUser.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"221a122d-8e68-42c9-beaf-010fe184a88f","BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer","analytic_rule","BloodHound Attack Path Finding - Tier Zero SMSA Installed on Non-Tier Zero Computer","TierZeroComputer.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"64ba60b8-67d4-4356-8b88-0dfbf98e454a","BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Computer Hosting EnterpriseCA Trusted for NT Authentication","TierZeroComputerHostingEnterprisecaTrustedForNtAuthentication.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"94e4114f-acd5-48d9-8b5e-07d08b809541","BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Entra User Synced to Tier Zero AD User","TierZeroEntraUserSyncedToTierZeroAdUser.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"70e09635-9787-41af-9973-87d22ca15292","BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role","analytic_rule","BloodHound Attack Path Finding - Tier Zero Group Control via MS Graph App Role","TierZeroGroupControlViaMsGraphAppRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"8e1df707-a242-42ba-a0aa-68b61f1e620d","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero App Roles","TierZeroPrincipalCanGrantTierZeroAppRoles.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"146f6a92-d11a-4728-b66d-6d4dc359ff59","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principal Can Grant Tier Zero Entra ID Role","TierZeroPrincipalCanGrantTierZeroEntraIdRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"d9fb446e-58a9-4788-afee-66a2b5391347","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC10 Scenario B Privileges","TierZeroPrincipalsWithAdcsEsc10ScenarioBPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"e6c6fb5d-c2a4-4ff4-8c75-a66f37e1ecc0","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC3 Privileges","TierZeroPrincipalsWithAdcsEsc3Privileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"dcd1c727-2084-44d8-871c-a74ac0d8f091","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC4 Privileges","TierZeroPrincipalsWithAdcsEsc4Privileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"ca313efd-032c-4825-b687-86c50e92200f","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario A Privileges","TierZeroPrincipalsWithAdcsEsc6ScenarioAPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"3050426c-56c0-4a20-9bb2-9d63d3c59484","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC6 Scenario B Privileges","TierZeroPrincipalsWithAdcsEsc6ScenarioBPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"4f431f88-ada9-4a20-bbe5-fddc7add942e","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario A Privileges","TierZeroPrincipalsWithAdcsEsc9ScenarioAPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"93a17e41-1504-4ef3-8a1e-7ad15a32ce98","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With ADCS ESC9 Scenario B Privileges","TierZeroPrincipalsWithAdcsEsc9ScenarioBPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"d6bf4db8-f2f3-4738-9051-bb892b268da3","BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principals With DCSync Privileges","TierZeroPrincipalsWithDcsyncPrivileges.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"bc26d218-89a4-40ba-88b6-76e5141b5731","BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation","analytic_rule","BloodHound Attack Path Finding - Non-Tier Zero Principal Trusted for Unconstrained Delegation","TierZeroPrincipalTrustedForUnconstrainedDelegation.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"d817dc53-1787-4b02-b8cf-d6254eec5ddb","BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role","analytic_rule","BloodHound Attack Path Finding - Tier Zero Service Principal Control via MS Graph App Role","TierZeroServicePrincipalControlViaMsGraphAppRole.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"ccd94d43-3d74-4928-93bf-eb9bfe7924ca","BloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - User Access Admin Role on Tier Zero Resource","UserAccessAdminRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"f1334bfc-7cdd-4655-b8de-e1398158f4b5","BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System","analytic_rule","BloodHound Attack Path Finding - VM Admin Login Role on Tier Zero System","VmAdminLoginRoleOnTierZeroSystem.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"6356d718-5a61-4f74-b8a4-f93b0b721e9a","BloodHound Attack Path Finding - VM Contributor Role on Tier Zero System","analytic_rule","BloodHound Attack Path Finding - VM Contributor Role on Tier Zero System","VmContributorRoleOnTierZeroSystem.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"a1052a3e-d955-4a0b-9f96-179393e7741a","BloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource","analytic_rule","BloodHound Attack Path Finding - Website Contributor Role on Tier Zero Resource","WebsiteContributorRoleOnTierZeroResource.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"f1a667b2-91a8-4a9b-8d31-9a54bb5f0cd5","BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - Write Account Restrictions Privileges on Tier Zero Objects","WriteAccountRestrictionsPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"c09d3a9d-47da-4bd8-a14d-ea51b447d75d","BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteDacl Privileges on Tier Zero Objects","WritedaclPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"b64ee057-94a4-42a5-a769-430a2943f764","BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteGpLink Privileges on Tier Zero Objects","WritegplinkPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"645b0f09-f318-41c3-860d-6c0fb595af2b","BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteOwnerLimitedRights Privileges on Tier Zero Objects","WriteownerlimitedrightsPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"924e60be-38af-4a33-98d4-45f2b1643094","BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteOwner Privileges on Tier Zero Objects","WriteownerPrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"b58af025-1b74-436a-8517-b230864cbbb6","BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects","analytic_rule","BloodHound Attack Path Finding - WriteServicePrincipalName Privileges on Tier Zero Objects","WriteserviceprincipalnamePrivilegesOnTierZeroObjects.yaml","","","Medium","Available","Scheduled","","","BloodHoundEnterprise","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"","BloodHoundEnterpriseAttackPathDetails","workbook","","BloodHoundEnterpriseAttackPathDetails.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"","BloodHoundEnterpriseAttackPathOverview","workbook","","BloodHoundEnterpriseAttackPathOverview.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"","BloodHoundEnterpriseAuditLogs","workbook","","BloodHoundEnterpriseAuditLogs.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"","BloodHoundEnterpriseTierZeroSearch","workbook","","BloodHoundEnterpriseTierZeroSearch.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"","BloodHoundFindingTrends","workbook","","BloodHoundFindingTrends.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" +"","BloodHoundPostureHistory","workbook","","BloodHoundPostureHistory.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","BloodHound Enterprise","BloodHound Enterprise","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/BloodHound%20Enterprise","false" "1139230c-cf10-45db-b616-fed0d1415c05","Box - Abmormal user activity","analytic_rule","'Detects spikes (deviations from avarage) in user activity.'","BoxAbnormalUserActivity.yaml","","","Medium","Available","Scheduled","Collection","T1530","BoxDataConnector","has_query","","","","","","Solution","","","","","false","Box","Box","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box","true" "b91ec98d-5747-45c8-b2f6-a07bf47068f0","Box - Executable file in folder","analytic_rule","'Detects executable files in folders.'","BoxBinaryFile.yaml","","","Medium","Available","Scheduled","InitialAccess","T1189","BoxDataConnector","has_query","","","","","","Solution","","","","","false","Box","Box","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box","true" "8889e69c-2161-412a-94a6-76c1b2d9daa7","Box - Forbidden file type downloaded","analytic_rule","'Detects when new user downloads forbidden file types.'","BoxDownloadForbiddenFiles.yaml","","","Medium","Available","Scheduled","InitialAccess","T1189","BoxDataConnector","has_query","","","","","","Solution","","","","","false","Box","Box","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box","true" @@ -706,25 +711,25 @@ "b7918a0a-c6fe-4b6d-9111-b0b0c477f1a8","Login attempts using Legacy Auth","hunting_query","'This query identifies use of legacy authentication in Microsoft Entra ID sign-in activity, which can bypass Azure Conditional Access policies. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.'","LegacyAuthAttempt.yaml","","","","","","InitialAccess,Persistence","T1078,T1098","AzureActiveDirectory,BehaviorAnalytics,BehaviorAnalytics","has_query","","","BehaviorAnalytics.ActivityType in ""FailedLogOn,LogOn""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "41fa6e2d-afe9-4398-9356-cec3a927e44e","Microsoft Entra ID signins from new locations","hunting_query","'This query identifies new Microsoft Entra ID sign-in locations compared to historical data, potentially indicating password spraying or brute force attacks. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.'","new_locations_azuread_signin.yaml","","","","","","InitialAccess","T1078","AzureActiveDirectory,BehaviorAnalytics","has_query","","","","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "f50a26d7-ffdb-4471-90b9-3be78c60e4f2","Office Mail Rule Creation with suspicious archive mail move activity","hunting_query","'Hunting query to detect new inbox rule creation with activity of mail moved from inbox to archive folder within 12minutes.Though such activities could be legitimate some attackers may use these techniques to perform email diversion attack.'","OfficeMailRuleCreationWithMailMoveActivity.yaml","","","","","","Collection,Exfiltration","T1114,T1020","Office365","has_query","","","OfficeActivity.OfficeWorkload =~ ""Exchange""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" -"bfacf634-c75e-4291-998c-ecbc0323d943","Risky Sign-in with new MFA method","hunting_query","'This query identifies new MFA methods added to an account within 6 hours of a medium or high risk sign-in session. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.'","riskSignInWithNewMFAMethod.yaml","","","","","","Persistence","T1078.004","AzureActiveDirectory,BehaviorAnalytics,BehaviorAnalytics","has_query","","","AuditLogs.OperationName =~ ""Update user"" | BehaviorAnalytics.ActivityType in ""FailedLogOn,LogOn""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" +"bfacf634-c75e-4291-998c-ecbc0323d943","Risky Sign-in with new MFA method","hunting_query","'This query identifies new MFA methods added to an account within 6 hours of a medium or high risk sign-in session. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.'","riskSignInWithNewMFAMethod.yaml","","","","","","Persistence","T1078.004","AzureActiveDirectory,BehaviorAnalytics,BehaviorAnalytics","has_query","","","BehaviorAnalytics.ActivityType in ""FailedLogOn,LogOn"" | SigninLogs.OperationName =~ ""Update user""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "2843e796-3d6c-4a78-a815-1db783b346a3","High count download from a SAP Privileged account","hunting_query","'This query detects high counts of download from a sensitive SAP Privileged account. A pre-built watchlist is leveraged to identify the privileged users that are under extra restrictions.'","SAP_HighdownloadfromPriviledgedaccount.yaml","","","","","","InitialAccess,Exfiltration","T1078,T1030","SAP","has_query","","","","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "99885ff5-00cf-49e8-9452-6de6aba2a5c7","Successful Signin From Non-Compliant Device","hunting_query","'Detects successful sign ins from devices marked non-compliant. Best practice is to block sign ins from non-complaint devices, however if allowed monitor these events to ensure they do not lead to other risky activity.'","SuccessfulSigninFromNon-CompliantDevice.yaml","","","","","","InitialAccess","T1078.004","AzureActiveDirectory,BehaviorAnalytics,BehaviorAnalytics","has_query","","","BehaviorAnalytics.ActivityType in ""FailedLogOn,LogOn"" | SigninLogs.ResultType == ""0""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "8eace93b-f38c-47b7-a21d-739556d31db6","User Accounts - New Single Factor Auth","hunting_query","'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed.'","UserAccounts-NewSingleFactorAuth.yaml","","","","","","InitialAccess","T1078","AzureActiveDirectory,AzureActiveDirectory,BehaviorAnalytics","has_query","","","","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "f56b2223-0d4d-4347-9de4-822d195624ee","User Accounts - Unusual authentications occurring when countries do not conduct normal business operations.","hunting_query","'Identifies users whose single Factor Auth Events in scenarios where it has not been seen before, or where only multi factor auth has been observed.'","UserAccounts-UnusualLogonTimes.yaml","","","","","","InitialAccess","T1078","AzureActiveDirectory,BehaviorAnalytics","has_query","","","_Computed.DayNumberofWeek in ""00:00:00,1.00:00:00,2.00:00:00,3.00:00:00,4.00:00:00,5.00:00:00,6.00:00:00""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "8c5bc38a-438d-48fb-ae3f-7f356d3e5ba9","User detection added to privilege groups based in Watchlist","hunting_query","'Based on a Watchlist Detects when a user has been added to a privileged group/role. We can exclude from the wathclist the users for whom we do not want this alert to be triggered'","UserDetectPrivilegeGroup.yaml","","","","","","Reconnaissance,PrivilegeEscalation","T1548","AzureActiveDirectory","has_query","","","AuditLogs.ActivityDisplayName has_any ""Add eligible member to role"" | AuditLogs.LoggedByService in ""Core Directory,PIM"" | _Computed.newValue contains ""ApplicationAdministrators"" | _Computed.newValue contains ""BuiltInRole"" | _Computed.newValue contains ""User Administrator"" | _Computed.newValue contains ""UserAccountAdmins""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" "09a7c5fc-0649-4f7d-a21b-36a754cef6b6","User Login IP Address Teleportation","hunting_query","'This query identifies users logging in from two different countries within a specified time window, potentially indicating VPN use. It includes UEBA logs IdentityInfo and BehaviorAnalytics for context.'","UserLoginIPAddressTeleportation.yaml","","","","","","InitialAccess","T1078","AzureActiveDirectory,BehaviorAnalytics,BehaviorAnalytics","has_query","","","BehaviorAnalytics.ActivityType in ""FailedLogOn,LogOn"" | SigninLogs.AppDisplayName =~ ""Office 365 Exchange Online"" | SigninLogs.ConditionalAccessStatus =~ ""success""","","","Solution","","","","","false","Business Email Compromise - Financial Fraud","Business Email Compromise - Financial Fraud","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud","true" -"","Censys","workbook","","Censys.json","","","","","","","","","has_query","","","_Computed.EntityType in ""dns,filehash,ip""","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Add Incident Comment","playbook","This playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Censys playbooks (CensysIncidentEnrichment, CensysEntityEnrichmentHost, CensysEntityEnrichmentCertificate, CensysEntityEnrichmentWebProperty, CensysAlertEnrichment). It receives enrichment data (host, web_property, certificate) along with the incident ARM ID and parent playbook name. The playbook processes each data type, extracts relevant fields (IP, autonomous system, WHOIS, location, DNS, service","CensysAddIncidentComment/azuredeploy.json","CensysAddIncidentComment/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Alert Enrichment","playbook","This playbook is triggered by a Microsoft Sentinel Alert. It extracts IP addresses, domains, and certificate file hashes (SHA256) from alert entities, then queries the Censys API to retrieve enrichment data for hosts, web properties, and certificates. The enriched data is ingested into Log Analytics Workspace custom tables (CensysHostAlert, CensysWebPropertyAlert, CensysCertificateAlert). If the alert is associated with an incident, the playbook invokes the CensysAddIncidentComment sub-playbook ","CensysAlertEnrichment/azuredeploy.json","CensysAlertEnrichment/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Alert Rescan","playbook","This playbook is triggered manually via HTTP request from a workbook or automation. It accepts input parameters including IOC Type (Host or Web Property), IP, Port, Protocol, Transport Protocol, Hostname, and Alert ID. The playbook initiates a rescan request to the Censys API, monitors scan status until completion, retrieves the updated asset data, and ingests the rescan results into Log Analytics. If the alert is associated with an incident, the playbook invokes the CensysIncidentEnrichment sub","CensysAlertRescan/azuredeploy.json","CensysAlertRescan/readme.md","","","","","","","","has_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Entity Enrichment - Certificate","playbook","This playbook is triggered automatically when a FileHash entity is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the FileHash (certificate fingerprint) from the entity and queries the Censys API (v3) to retrieve detailed certificate information including location, autonomous system, WHOIS data, and associated services. The playbook retrieves the Censys API token securely from Azure Key Vault, performs the API call with retry logic and compre","CensysEntityEnrichmentCertificate/azuredeploy.json","CensysEntityEnrichmentCertificate/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Entity Enrichment - Host","playbook","This playbook is triggered automatically when an IP entity is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the IP address from the entity and queries the Censys API (v3) to retrieve detailed host information including geolocation (continent, country, city, coordinates), autonomous system details (ASN, BGP prefix), WHOIS data (network, organization, contacts), services, and DNS information. The playbook retrieves the Censys API token securel","CensysEntityEnrichmentHost/azuredeploy.json","CensysEntityEnrichmentHost/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Entity Enrichment - Web Property","playbook","This playbook is triggered automatically when a DNS entity (domain name) is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the domain name from the entity and queries the Censys API (v3) to retrieve detailed web property information including geolocation (continent, country, city, coordinates), autonomous system details (ASN, BGP prefix), WHOIS data (network, organization, contacts), services, and DNS information. The playbook constructs the ","CensysEntityEnrichmentWebProperty/azuredeploy.json","CensysEntityEnrichmentWebProperty/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Host History","playbook","This playbook is triggered manually via HTTP request, typically invoked from a Microsoft Sentinel workbook. It retrieves historical timeline data for a specified host (IP address) from the Censys API (v3) within a given time range. The playbook accepts start_time, end_time, and host parameters in RFC3339 format. NOTE: Start time must be the timestamp closest to the current time (more recent) and End time must be the timestamp furthest from the current time (older). The playbook validates input p","CensysHostHistory/azuredeploy.json","CensysHostHistory/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Incident Enrichment","playbook","This playbook will be triggered when any automation rule is attached or manually invoked. This will fetch associated IPs, Host(Domains) and SHAs from incident and make associated API calls to retrieve Censys data and enrich incident with additional information as Incident comment.","CensysIncidentEnrichment/azuredeploy.json","CensysIncidentEnrichment/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Ad-Hoc IOC Lookup","playbook","This playbook will be triggered from the workbook. This will fetch associated IPs, Host(Domains) and SHAs from user input provided in the Ad-Hoc IOC Lookup Dashboard and make API calls to retrieve Censys data and display data in the dashboard.","CensysIOCLookup/azuredeploy.json","CensysIOCLookup/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Related Infrastructure","playbook","This playbook retrieves related infrastructure details for Censys entities (hosts, certificates, or web properties) using the Censys Pivot Analysis API. It accepts an IOC Value (hosts, certificates, or web properties) and IOC type as input, creates a pivot analysis job, monitors the job status, retrieves the results, and ingests the related infrastructure data into Azure Log Analytics for further analysis and display data in the dashboard. Learn more about CensEye in the Censys documentation: ht","CensysRelatedInfrastructure/azuredeploy.json","CensysRelatedInfrastructure/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" -"","Censys Rescan","playbook","This playbook will be triggered manually. This will fetch associated IPs from the incident and make API calls to retrieve Censys data and enrich the incident with additional information as Incident comment.","CensysRescan/azuredeploy.json","CensysRescan/readme.md","","","","","","","","has_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","true" +"","Censys","workbook","","Censys.json","","","","","","","","","has_query","","","_Computed.EntityType in ""dns,filehash,ip""","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Add Incident Comment","playbook","This playbook is triggered via HTTP request and is designed to be used as a sub-playbook by other Censys playbooks (CensysIncidentEnrichment, CensysEntityEnrichmentHost, CensysEntityEnrichmentCertificate, CensysEntityEnrichmentWebProperty, CensysAlertEnrichment). It receives enrichment data (host, web_property, certificate) along with the incident ARM ID and parent playbook name. The playbook processes each data type, extracts relevant fields (IP, autonomous system, WHOIS, location, DNS, service","CensysAddIncidentComment/azuredeploy.json","CensysAddIncidentComment/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Alert Enrichment","playbook","This playbook is triggered by a Microsoft Sentinel Alert. It extracts IP addresses, domains, and certificate file hashes (SHA256) from alert entities, then queries the Censys API to retrieve enrichment data for hosts, web properties, and certificates. The enriched data is ingested into Log Analytics Workspace custom tables (CensysHostAlert, CensysWebPropertyAlert, CensysCertificateAlert). If the alert is associated with an incident, the playbook invokes the CensysAddIncidentComment sub-playbook ","CensysAlertEnrichment/azuredeploy.json","CensysAlertEnrichment/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Alert Rescan","playbook","This playbook is triggered manually via HTTP request from a workbook or automation. It accepts input parameters including IOC Type (Host or Web Property), IP, Port, Protocol, Transport Protocol, Hostname, and Alert ID. The playbook initiates a rescan request to the Censys API, monitors scan status until completion, retrieves the updated asset data, and ingests the rescan results into Log Analytics. If the alert is associated with an incident, the playbook invokes the CensysIncidentEnrichment sub","CensysAlertRescan/azuredeploy.json","CensysAlertRescan/readme.md","","","","","","","","has_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Entity Enrichment - Certificate","playbook","This playbook is triggered automatically when a FileHash entity is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the FileHash (certificate fingerprint) from the entity and queries the Censys API (v3) to retrieve detailed certificate information including location, autonomous system, WHOIS data, and associated services. The playbook retrieves the Censys API token securely from Azure Key Vault, performs the API call with retry logic and compre","CensysEntityEnrichmentCertificate/azuredeploy.json","CensysEntityEnrichmentCertificate/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Entity Enrichment - Host","playbook","This playbook is triggered automatically when an IP entity is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the IP address from the entity and queries the Censys API (v3) to retrieve detailed host information including geolocation (continent, country, city, coordinates), autonomous system details (ASN, BGP prefix), WHOIS data (network, organization, contacts), services, and DNS information. The playbook retrieves the Censys API token securel","CensysEntityEnrichmentHost/azuredeploy.json","CensysEntityEnrichmentHost/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Entity Enrichment - Web Property","playbook","This playbook is triggered automatically when a DNS entity (domain name) is detected in a Microsoft Sentinel incident, based on an automation rule. Upon triggering, it extracts the domain name from the entity and queries the Censys API (v3) to retrieve detailed web property information including geolocation (continent, country, city, coordinates), autonomous system details (ASN, BGP prefix), WHOIS data (network, organization, contacts), services, and DNS information. The playbook constructs the ","CensysEntityEnrichmentWebProperty/azuredeploy.json","CensysEntityEnrichmentWebProperty/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Host History","playbook","This playbook is triggered manually via HTTP request, typically invoked from a Microsoft Sentinel workbook. It retrieves historical timeline data for a specified host (IP address) from the Censys API (v3) within a given time range. The playbook accepts start_time, end_time, and host parameters in RFC3339 format. NOTE: Start time must be the timestamp closest to the current time (more recent) and End time must be the timestamp furthest from the current time (older). The playbook validates input p","CensysHostHistory/azuredeploy.json","CensysHostHistory/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Incident Enrichment","playbook","This playbook will be triggered when any automation rule is attached or manually invoked. This will fetch associated IPs, Host(Domains) and SHAs from incident and make associated API calls to retrieve Censys data and enrich incident with additional information as Incident comment.","CensysIncidentEnrichment/azuredeploy.json","CensysIncidentEnrichment/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Ad-Hoc IOC Lookup","playbook","This playbook will be triggered from the workbook. This will fetch associated IPs, Host(Domains) and SHAs from user input provided in the Ad-Hoc IOC Lookup Dashboard and make API calls to retrieve Censys data and display data in the dashboard.","CensysIOCLookup/azuredeploy.json","CensysIOCLookup/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Related Infrastructure","playbook","This playbook retrieves related infrastructure details for Censys entities (hosts, certificates, or web properties) using the Censys Pivot Analysis API. It accepts an IOC Value (hosts, certificates, or web properties) and IOC type as input, creates a pivot analysis job, monitors the job status, retrieves the results, and ingests the related infrastructure data into Azure Log Analytics for further analysis and display data in the dashboard. Learn more about CensEye in the Censys documentation: ht","CensysRelatedInfrastructure/azuredeploy.json","CensysRelatedInfrastructure/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" +"","Censys Rescan","playbook","This playbook will be triggered manually. This will fetch associated IPs from the incident and make API calls to retrieve Censys data and enrich the incident with additional information as Incident comment.","CensysRescan/azuredeploy.json","CensysRescan/readme.md","","","","","","","","has_query","","","","","","Solution","","","","","false","Censys","Censys","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Censys","false" "","CheckPoint","workbook","","CheckPoint.json","","","","","","","","","has_query","Check Point","All;Anti Malware","CommonSecurityLog.DeviceCustomString3 in~ ""DNS Reputation,IP Reputation,URL Reputation"" | CommonSecurityLog.DeviceProduct in~ ""Anti Malware,Anti-Bot,Anti-Virus,Application Control,DDoS Protector,IPS,Threat Emulation,URL Filtering"" | CommonSecurityLog.DeviceVendor == ""Check Point"" | CommonSecurityLog.FlexNumber1 in ""3,4,5"" | CommonSecurityLog.LogSeverity in~ ""Critical,High,Medium,Very-High""","","","Solution","","","","","false","Check Point","Check Point","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Check%20Point","true" "","checkpoint-add-host-to-group","playbook","This playbook will create Check Point objects and add to block group","add-host-to-group/deployCPplaybook.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Check Point","Check Point","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Check%20Point","true" "8d3b9c7e-5a2f-4e1d-b6c8-3f9a7e2d1b4c","Check Point Exposure Management - Alert Ingestion Anomaly","analytic_rule","Detects when no Check Point Exposure Management alerts have been ingested into the argsentdc_CL table for an extended period. This may indicate a failure in the CCP data connector or the Importer playbook, a misconfigured API token, or network connectivity issues.","CPEMAlertIngestionAnomaly.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562","CheckPointCyberintAlerts","has_query","","","","","","Solution","","","","","false","Check Point Cyberint Alerts","Check Point Cyberint Alerts","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Check%20Point%20Cyberint%20Alerts","true" @@ -740,7 +745,7 @@ "a1b2c3d4-e5f6-7890-abcd-ef1234567890","CPEMAlerts","parser","","CPEMAlerts.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Check Point Cyberint Alerts","Check Point Cyberint Alerts","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Check%20Point%20Cyberint%20Alerts","true" "","CheckPhish - Get URL reputation","playbook","This playbooks will be used to submit URL to CheckPhish and gets the repution of URL (Scan result)","CheckPhishPlaybooks/CheckPhsh-Get-URLScanResult/azuredeploy.json","CheckPhishPlaybooks/CheckPhsh-Get-URLScanResult/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","CheckPhish by Bolster","CheckPhish by Bolster","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CheckPhish%20by%20Bolster","true" "e89d588d-799f-486d-9632-b5dd3476cb6f","CiscoACIEvent","parser","","CiscoACIEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Cisco ACI","Cisco ACI","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ACI","true" -"","CiscoETD","workbook","","CiscoETD.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Cisco ETD","Cisco ETD","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ETD","true" +"","CiscoETD","workbook","","CiscoETD.json","","","","","","","","","has_query","","","_Computed.Folder in~ ""junk,quarantine"" | _Computed.Url !startswith ""&"" | _Computed.Url !startswith ""http://mailto""","","","Solution","","","","","false","Cisco ETD","Cisco ETD","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20ETD","true" "","Block URL - Cisco Firepower","playbook","This playbook allows blocking of FQDNs in Cisco Firepower, using a **Network Group object**. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry.","CiscoFirepower-BlockFQDN-NetworkGroup/azuredeploy.json","CiscoFirepower-BlockFQDN-NetworkGroup/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Cisco Firepower EStreamer","Cisco Firepower EStreamer","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Firepower%20EStreamer","true" "","Block IP - Cisco Firepower","playbook","This playbook allows blocking of IPs in Cisco Firepower, using a **Network Group object**. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry.","CiscoFirepower-BlockIP-NetworkGroup/azuredeploy.json","CiscoFirepower-BlockIP-NetworkGroup/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Cisco Firepower EStreamer","Cisco Firepower EStreamer","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Firepower%20EStreamer","true" "","Block IP - Take Action from Teams - Cisco Firepower","playbook","This playbook allows blocking of IPs in Cisco Firepower, using a **Network Group object**. This allows making changes to a Network Group selected members, instead of making Access List Entries. The Network Group object itself should be part of an Access List Entry.","CiscoFirepower-BlockIP-Teams/azuredeploy.json","CiscoFirepower-BlockIP-Teams/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Cisco Firepower EStreamer","Cisco Firepower EStreamer","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20Firepower%20EStreamer","true" @@ -916,7 +921,7 @@ "42894dea-1da9-4e98-b934-3fd97924dc8a","CitrixADCEvent","parser","","CitrixADCEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Citrix ADC","Citrix ADC","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20ADC","true" "1c9a0c69-efc6-4fe6-ac53-baf6fe77b833","CitrixADCEventOld","parser","","CitrixADCEventOld.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","true","Citrix ADC","Citrix ADC","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20ADC","true" "","CitrixAnalytics","workbook","","CitrixAnalytics.json","","","","","","","","","has_query","","","_Computed.event_status in ""Failure,NA,allow,deny,failure""","","","Solution","","","","","false","Citrix Analytics CCF","Citrix Analytics CCF","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20CCF","false" -"","Citrix","workbook","","Citrix.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Citrix Analytics for Security","Citrix Analytics for Security","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20for%20Security","true" +"","Citrix","workbook","","Citrix.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Citrix Analytics for Security","Citrix Analytics for Security","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Analytics%20for%20Security","false" "","CitrixWAF","workbook","","CitrixWAF.json","","","","","","","","","has_query","Citrix","NetScaler","CommonSecurityLog.DeviceProduct == ""NetScaler"" | CommonSecurityLog.DeviceVendor == ""Citrix""","","","Solution","","","","","false","Citrix Web App Firewall","Citrix Web App Firewall","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20Web%20App%20Firewall","true" "fd6e3416-0421-4166-adb9-186e555a7008","Claroty - Asset Down","analytic_rule","'Triggers asset is down.'","ClarotyAssetDown.yaml","","","High","Available","Scheduled","Impact","T1529","CefAma","has_query","","","","","","Solution","","","","","false","Claroty","Claroty","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty","true" "9a8b4321-e2be-449b-8227-a78227441b2a","Claroty - Critical baseline deviation","analytic_rule","Detects Claroty events where EventOriginalType or EventType indicates a Baseline Deviation and EventSeverity is 5, which represents a critical deviation from baseline that may indicate disruptive or unauthorized activity.","ClarotyCriticalBaselineDeviation.yaml","","","High","Available","Scheduled","Impact","T1529,T1565.001","CefAma","has_query","","","","","","Solution","","","","","false","Claroty","Claroty","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty","true" @@ -1026,12 +1031,12 @@ "","Commvault Disable User Logic App Playbook","playbook","This Logic App executes when called upon by an Automation Rule. Accessing the KeyVault to retrieve various credentials, it executes a specific runbook depending on the use case.","Commvault_Disable_User_Logic_App/azuredeploy.json","Commvault_Disable_User_Logic_App/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Commvault Security IQ","Commvault Security IQ","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault%20Security%20IQ","true" "fd950af9-d9db-4879-a60a-7267cc041beb","CDM_ContinuousDiagnostics&Mitigation_PostureChanged","analytic_rule","'This alert is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. The alert triggers when policy compliance falls below 70% within a 1 week timeframe.'","ContinuousDiagnostics&MitigationPostureChanged.yaml","","","Medium","Available","Scheduled","Discovery","T1082","","has_query","","","SecurityRecommendation.RecommendationState in ""Healthy,NotApplicable,Removed,Unhealthy""","","","Solution","","","","","false","ContinuousDiagnostics&Mitigation","ContinuousDiagnostics&Mitigation","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics%26Mitigation","true" "e15944a8-4172-4208-a928-631e01920d9c","CDM_ContinuousDiagnostics&Mitigation_Posture","hunting_query","'This hunting query is designed to monitor Azure policies aligned with the Continuous Diagnostics & Mitigation (CDM) Program. It provides a policy check assessment of current CDM policy status across capability areas.'","ContinuousDiagnostics&MitigationPosture.yaml","","","Medium","","Scheduled","Discovery","T1082","","has_query","","","SecurityRecommendation.RecommendationState in ""Healthy,NotApplicable,Removed,Unhealthy""","","","Solution","","","","","false","ContinuousDiagnostics&Mitigation","ContinuousDiagnostics&Mitigation","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics%26Mitigation","true" -"","ContinuousDiagnostics&Mitigation","workbook","","ContinuousDiagnostics&Mitigation.json","","","","","","","","","has_query","","","AzureActivity.OperationName contains ""PIM"" | AzureDiagnostics.Category in ""NetworkSecurityGroupEvent,kube-audit"" | AzureDiagnostics.Category contains ""SQL"" | AzureDiagnostics.ResourceProvider == ""MICROSOFT.KEYVAULT"" | AzureDiagnostics.ResourceType in ""APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"" | SecurityAlert.ProductName in ""Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management,Microsoft Defender Advanced Threat Protection"" | SecurityBaseline.AnalyzeResult in ""Failed,Passed"" | SecurityRecommendation.RecommendationDisplayName contains ""access"" | SecurityRecommendation.RecommendationDisplayName contains ""account"" | SecurityRecommendation.RecommendationDisplayName contains ""admin"" | SecurityRecommendation.RecommendationDisplayName contains ""agent"" | SecurityRecommendation.RecommendationDisplayName contains ""aks"" | SecurityRecommendation.RecommendationDisplayName contains ""audit"" | SecurityRecommendation.RecommendationDisplayName contains ""auth"" | SecurityRecommendation.RecommendationDisplayName contains ""back"" | SecurityRecommendation.RecommendationDisplayName contains ""bound"" | SecurityRecommendation.RecommendationDisplayName contains ""cert"" | SecurityRecommendation.RecommendationDisplayName contains ""cmk"" | SecurityRecommendation.RecommendationDisplayName contains ""collect"" | SecurityRecommendation.RecommendationDisplayName contains ""contain"" | SecurityRecommendation.RecommendationDisplayName contains ""data"" | SecurityRecommendation.RecommendationDisplayName contains ""detect"" | SecurityRecommendation.RecommendationDisplayName contains ""edr"" | SecurityRecommendation.RecommendationDisplayName contains ""endpoint"" | SecurityRecommendation.RecommendationDisplayName contains ""endpoint protection"" | SecurityRecommendation.RecommendationDisplayName contains ""event"" | SecurityRecommendation.RecommendationDisplayName contains ""firewall"" | SecurityRecommendation.RecommendationDisplayName contains ""gateway"" | SecurityRecommendation.RecommendationDisplayName contains ""http"" | SecurityRecommendation.RecommendationDisplayName contains ""identity"" | SecurityRecommendation.RecommendationDisplayName contains ""incident"" | SecurityRecommendation.RecommendationDisplayName contains ""internet"" | SecurityRecommendation.RecommendationDisplayName contains ""intrusion"" | SecurityRecommendation.RecommendationDisplayName contains ""just"" | SecurityRecommendation.RecommendationDisplayName contains ""key"" | SecurityRecommendation.RecommendationDisplayName contains ""kube"" | SecurityRecommendation.RecommendationDisplayName contains ""malware"" | SecurityRecommendation.RecommendationDisplayName contains ""network"" | SecurityRecommendation.RecommendationDisplayName contains ""port"" | SecurityRecommendation.RecommendationDisplayName contains ""priv"" | SecurityRecommendation.RecommendationDisplayName contains ""privacy"" | SecurityRecommendation.RecommendationDisplayName contains ""protection"" | SecurityRecommendation.RecommendationDisplayName contains ""proxy"" | SecurityRecommendation.RecommendationDisplayName contains ""root"" | SecurityRecommendation.RecommendationDisplayName contains ""sql"" | SecurityRecommendation.RecommendationDisplayName contains ""storage"" | SecurityRecommendation.RecommendationDisplayName contains ""subnet"" | SecurityRecommendation.RecommendationDisplayName contains ""supply"" | SecurityRecommendation.RecommendationDisplayName contains ""tls"" | SecurityRecommendation.RecommendationDisplayName contains ""token"" | SecurityRecommendation.RecommendationDisplayName contains ""traffic"" | SecurityRecommendation.RecommendationDisplayName contains ""trust"" | SecurityRecommendation.RecommendationDisplayName contains ""url"" | SecurityRecommendation.RecommendationDisplayName contains ""user"" | SecurityRecommendation.RecommendationDisplayName contains ""web"" | SecurityRecommendation.RecommendationState in ""Healthy,NotApplicable,Removed,Unhealthy"" | _Computed.AssignedRoles contains ""admin"" | _Computed.AssignedRoles contains ""contrib"" | _Computed.AssignedRoles contains ""security"" | _Computed.GroupMemberships contains ""admin"" | _Computed.GroupMemberships contains ""contrib"" | _Computed.GroupMemberships contains ""security"" | _Computed.RecommendationName contains ""allowlist"" | _Computed.RecommendationName contains ""application control"" | _Computed.RecommendationName contains ""arc"" | _Computed.RecommendationName contains ""asset"" | _Computed.RecommendationName contains ""defender"" | _Computed.RecommendationName contains ""endpoint"" | _Computed.RecommendationName contains ""log"" | _Computed.RecommendationName contains ""software"" | _Computed.complianceStandardId in ""Azure Security Benchmark,NIST SP 800 53 R4"" | _Computed.complianceState == ""Passed"" | _Computed.resourceSource in~ ""aws,gcp"" | _Computed.state in ""Healthy,NotApplicable,Unhealthy"" | _Computed.type in~ ""Microsoft.KeyVault/vaults,microsoft.network/serviceendpointpolicies,microsoft.sql/servers,microsoft.sql/servers/databases,microsoft.synapse/workspaces/sqlpools"" | _Computed.type !~ ""dynatrace.observability/monitors"" | _Computed.type !~ ""microsoft.agfoodplatform/farmbeats"" | _Computed.type !~ ""microsoft.azurepercept/accounts"" | _Computed.type !~ ""microsoft.azurestack/registrations"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints/routes"" | _Computed.type !~ ""microsoft.cdn/profiles/customdomains"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups/origins"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets/rules"" | _Computed.type !~ ""microsoft.cdn/profiles/secrets"" | _Computed.type !~ ""microsoft.cdn/profiles/securitypolicies"" | _Computed.type !~ ""microsoft.communication/emailservices"" | _Computed.type !~ ""microsoft.connectedvmwarevsphere/vcenters"" | _Computed.type !~ ""microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.datacollaboration/workspaces"" | _Computed.type !~ ""microsoft.datareplication/replicationvaults"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters/sessionclusters"" | _Computed.type !~ ""microsoft.hpcworkbench/instances"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/assets"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/executionplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/testplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/tests"" | _Computed.type !~ ""microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/services"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/sites"" | _Computed.type !~ ""microsoft.mobilenetwork/packetcorecontrolplanes"" | _Computed.type !~ ""microsoft.mobilenetwork/sims"" | _Computed.type !~ ""microsoft.network/dnsforwardingrulesets"" | _Computed.type !~ ""microsoft.network/dnsresolvers"" | _Computed.type !~ ""microsoft.openlogisticsplatform/workspaces"" | _Computed.type !~ ""microsoft.orbital/contactprofiles"" | _Computed.type !~ ""microsoft.orbital/edgesites"" | _Computed.type !~ ""microsoft.orbital/groundstations"" | _Computed.type !~ ""microsoft.orbital/l2connections"" | _Computed.type !~ ""microsoft.orbital/spacecrafts"" | _Computed.type !~ ""microsoft.orbital/spacecrafts/contacts"" | _Computed.type !~ ""microsoft.playfab/playeraccountpools"" | _Computed.type !~ ""microsoft.playfab/playfabresources"" | _Computed.type !~ ""microsoft.playfab/titles"" | _Computed.type !~ ""microsoft.portal/extensions"" | _Computed.type !~ ""microsoft.portal/extensions/deployments"" | _Computed.type !~ ""microsoft.portal/extensions/slots"" | _Computed.type !~ ""microsoft.portal/extensions/versions"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/modeling"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/serviceendpoints"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd2/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd2/vaults"" | _Computed.type !~ ""microsoft.scom/managedinstances"" | _Computed.type !~ ""microsoft.scvmm/vmmservers"" | _Computed.type !~ ""microsoft.storagecache/amlfilesystems"" | _Computed.type !~ ""microsoft.workloads/monitors"" | _Computed.type !~ ""microsoft.workloads/phpworkloads"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/applicationinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/centralinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/databaseinstances"" | _Computed.type !~ ""nginx.nginxplus/nginxdeployments""","","","Solution","","","","","false","ContinuousDiagnostics&Mitigation","ContinuousDiagnostics&Mitigation","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics%26Mitigation","true" -"4396f8c3-d114-4154-9f4c-048ba522ed04","Contrast Blocks","analytic_rule","'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'","ContrastBlocks.yaml","","","Low","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""BLOCKED"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","true" -"e1abb6ed-be18-40fd-be58-3d3d84041daf","Contrast Exploits","analytic_rule","'Creates Incidents for Exploit events sourced from the Contrast Protect agent.'","ContrastExploits.yaml","","","High","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""EXPLOITED"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","true" -"297596de-d9ae-4fb8-b6ff-00fc01c9462d","Contrast Probes","analytic_rule","'Creates Incidents for Probed events sourced from the Contrast Protect agent.'","ContrastProbes.yaml","","","Informational","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""INEFFECTIVE"" | CommonSecurityLog.AdditionalExtensions contains ""PROBED"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","true" -"f713404e-805c-4e0c-91fa-2c149f76a07d","Contrast Suspicious","analytic_rule","'Creates Incidents for Suspicious events sourced from the Contrast Protect agent.'","ContrastSuspicious.yaml","","","Medium","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""SUSPICIOUS"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","true" -"","ContrastProtect","workbook","","ContrastProtect.json","","","","","","","","","has_query","Contrast Security","","CommonSecurityLog.DeviceVendor == ""Contrast Security"" | _Computed.Outcome in ""BLOCKED,EXPLOITED,SUSPICIOUS"" | _Computed.Outcome != ""success""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","true" +"","ContinuousDiagnostics&Mitigation","workbook","","ContinuousDiagnostics&Mitigation.json","","","","","","","","","has_query","","","AuditLogs.OperationName contains ""PIM"" | AzureDiagnostics.Category in ""NetworkSecurityGroupEvent,kube-audit"" | AzureDiagnostics.Category contains ""SQL"" | AzureDiagnostics.ResourceProvider == ""MICROSOFT.KEYVAULT"" | AzureDiagnostics.ResourceType in ""APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"" | SecurityAlert.ProductName in ""Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management,Microsoft Defender Advanced Threat Protection"" | SecurityBaseline.AnalyzeResult in ""Failed,Passed"" | SecurityRecommendation.RecommendationDisplayName contains ""access"" | SecurityRecommendation.RecommendationDisplayName contains ""account"" | SecurityRecommendation.RecommendationDisplayName contains ""admin"" | SecurityRecommendation.RecommendationDisplayName contains ""agent"" | SecurityRecommendation.RecommendationDisplayName contains ""aks"" | SecurityRecommendation.RecommendationDisplayName contains ""audit"" | SecurityRecommendation.RecommendationDisplayName contains ""auth"" | SecurityRecommendation.RecommendationDisplayName contains ""back"" | SecurityRecommendation.RecommendationDisplayName contains ""bound"" | SecurityRecommendation.RecommendationDisplayName contains ""cert"" | SecurityRecommendation.RecommendationDisplayName contains ""cmk"" | SecurityRecommendation.RecommendationDisplayName contains ""collect"" | SecurityRecommendation.RecommendationDisplayName contains ""contain"" | SecurityRecommendation.RecommendationDisplayName contains ""data"" | SecurityRecommendation.RecommendationDisplayName contains ""detect"" | SecurityRecommendation.RecommendationDisplayName contains ""edr"" | SecurityRecommendation.RecommendationDisplayName contains ""endpoint"" | SecurityRecommendation.RecommendationDisplayName contains ""endpoint protection"" | SecurityRecommendation.RecommendationDisplayName contains ""event"" | SecurityRecommendation.RecommendationDisplayName contains ""firewall"" | SecurityRecommendation.RecommendationDisplayName contains ""gateway"" | SecurityRecommendation.RecommendationDisplayName contains ""http"" | SecurityRecommendation.RecommendationDisplayName contains ""identity"" | SecurityRecommendation.RecommendationDisplayName contains ""incident"" | SecurityRecommendation.RecommendationDisplayName contains ""internet"" | SecurityRecommendation.RecommendationDisplayName contains ""intrusion"" | SecurityRecommendation.RecommendationDisplayName contains ""just"" | SecurityRecommendation.RecommendationDisplayName contains ""key"" | SecurityRecommendation.RecommendationDisplayName contains ""kube"" | SecurityRecommendation.RecommendationDisplayName contains ""malware"" | SecurityRecommendation.RecommendationDisplayName contains ""network"" | SecurityRecommendation.RecommendationDisplayName contains ""port"" | SecurityRecommendation.RecommendationDisplayName contains ""priv"" | SecurityRecommendation.RecommendationDisplayName contains ""privacy"" | SecurityRecommendation.RecommendationDisplayName contains ""protection"" | SecurityRecommendation.RecommendationDisplayName contains ""proxy"" | SecurityRecommendation.RecommendationDisplayName contains ""root"" | SecurityRecommendation.RecommendationDisplayName contains ""sql"" | SecurityRecommendation.RecommendationDisplayName contains ""storage"" | SecurityRecommendation.RecommendationDisplayName contains ""subnet"" | SecurityRecommendation.RecommendationDisplayName contains ""supply"" | SecurityRecommendation.RecommendationDisplayName contains ""tls"" | SecurityRecommendation.RecommendationDisplayName contains ""token"" | SecurityRecommendation.RecommendationDisplayName contains ""traffic"" | SecurityRecommendation.RecommendationDisplayName contains ""trust"" | SecurityRecommendation.RecommendationDisplayName contains ""url"" | SecurityRecommendation.RecommendationDisplayName contains ""user"" | SecurityRecommendation.RecommendationDisplayName contains ""web"" | SecurityRecommendation.RecommendationState in ""Healthy,NotApplicable,Removed,Unhealthy"" | _Computed.AssignedRoles contains ""admin"" | _Computed.AssignedRoles contains ""contrib"" | _Computed.AssignedRoles contains ""security"" | _Computed.GroupMemberships contains ""admin"" | _Computed.GroupMemberships contains ""contrib"" | _Computed.GroupMemberships contains ""security"" | _Computed.complianceStandardId in ""Azure Security Benchmark,NIST SP 800 53 R4"" | _Computed.complianceState == ""Passed"" | _Computed.recommendationName contains ""allowlist"" | _Computed.recommendationName contains ""application control"" | _Computed.recommendationName contains ""arc"" | _Computed.recommendationName contains ""asset"" | _Computed.recommendationName contains ""defender"" | _Computed.recommendationName contains ""endpoint"" | _Computed.recommendationName contains ""log"" | _Computed.recommendationName contains ""software"" | _Computed.resourceSource in~ ""aws,gcp"" | _Computed.state in ""Healthy,NotApplicable,Unhealthy"" | _Computed.type in~ ""Microsoft.KeyVault/vaults,microsoft.network/serviceendpointpolicies,microsoft.sql/servers,microsoft.sql/servers/databases,microsoft.synapse/workspaces/sqlpools"" | _Computed.type !~ ""dynatrace.observability/monitors"" | _Computed.type !~ ""microsoft.agfoodplatform/farmbeats"" | _Computed.type !~ ""microsoft.azurepercept/accounts"" | _Computed.type !~ ""microsoft.azurestack/registrations"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints/routes"" | _Computed.type !~ ""microsoft.cdn/profiles/customdomains"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups/origins"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets/rules"" | _Computed.type !~ ""microsoft.cdn/profiles/secrets"" | _Computed.type !~ ""microsoft.cdn/profiles/securitypolicies"" | _Computed.type !~ ""microsoft.communication/emailservices"" | _Computed.type !~ ""microsoft.connectedvmwarevsphere/vcenters"" | _Computed.type !~ ""microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.datacollaboration/workspaces"" | _Computed.type !~ ""microsoft.datareplication/replicationvaults"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters/sessionclusters"" | _Computed.type !~ ""microsoft.hpcworkbench/instances"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/assets"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/executionplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/testplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/tests"" | _Computed.type !~ ""microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/services"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/sites"" | _Computed.type !~ ""microsoft.mobilenetwork/packetcorecontrolplanes"" | _Computed.type !~ ""microsoft.mobilenetwork/sims"" | _Computed.type !~ ""microsoft.network/dnsforwardingrulesets"" | _Computed.type !~ ""microsoft.network/dnsresolvers"" | _Computed.type !~ ""microsoft.openlogisticsplatform/workspaces"" | _Computed.type !~ ""microsoft.orbital/contactprofiles"" | _Computed.type !~ ""microsoft.orbital/edgesites"" | _Computed.type !~ ""microsoft.orbital/groundstations"" | _Computed.type !~ ""microsoft.orbital/l2connections"" | _Computed.type !~ ""microsoft.orbital/spacecrafts"" | _Computed.type !~ ""microsoft.orbital/spacecrafts/contacts"" | _Computed.type !~ ""microsoft.playfab/playeraccountpools"" | _Computed.type !~ ""microsoft.playfab/playfabresources"" | _Computed.type !~ ""microsoft.playfab/titles"" | _Computed.type !~ ""microsoft.portal/extensions"" | _Computed.type !~ ""microsoft.portal/extensions/deployments"" | _Computed.type !~ ""microsoft.portal/extensions/slots"" | _Computed.type !~ ""microsoft.portal/extensions/versions"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/modeling"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/serviceendpoints"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd2/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd2/vaults"" | _Computed.type !~ ""microsoft.scom/managedinstances"" | _Computed.type !~ ""microsoft.scvmm/vmmservers"" | _Computed.type !~ ""microsoft.storagecache/amlfilesystems"" | _Computed.type !~ ""microsoft.workloads/monitors"" | _Computed.type !~ ""microsoft.workloads/phpworkloads"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/applicationinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/centralinstances"" | _Computed.type !~ ""microsoft.workloads/sapvirtualinstances/databaseinstances"" | _Computed.type !~ ""nginx.nginxplus/nginxdeployments""","","","Solution","","","","","false","ContinuousDiagnostics&Mitigation","ContinuousDiagnostics&Mitigation","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContinuousDiagnostics%26Mitigation","true" +"4396f8c3-d114-4154-9f4c-048ba522ed04","Contrast Blocks","analytic_rule","'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'","ContrastBlocks.yaml","","","Low","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""BLOCKED"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","false" +"e1abb6ed-be18-40fd-be58-3d3d84041daf","Contrast Exploits","analytic_rule","'Creates Incidents for Exploit events sourced from the Contrast Protect agent.'","ContrastExploits.yaml","","","High","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""EXPLOITED"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","false" +"297596de-d9ae-4fb8-b6ff-00fc01c9462d","Contrast Probes","analytic_rule","'Creates Incidents for Probed events sourced from the Contrast Protect agent.'","ContrastProbes.yaml","","","Informational","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""INEFFECTIVE"" | CommonSecurityLog.AdditionalExtensions contains ""PROBED"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","false" +"f713404e-805c-4e0c-91fa-2c149f76a07d","Contrast Suspicious","analytic_rule","'Creates Incidents for Suspicious events sourced from the Contrast Protect agent.'","ContrastSuspicious.yaml","","","Medium","Available","Scheduled","InitialAccess,Exfiltration","T1566","ContrastProtect,ContrastProtectAma,CefAma","has_query","Contrast Security","","CommonSecurityLog.AdditionalExtensions contains ""SUSPICIOUS"" | CommonSecurityLog.DeviceVendor == ""Contrast Security""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","false" +"","ContrastProtect","workbook","","ContrastProtect.json","","","","","","","","","has_query","Contrast Security","","CommonSecurityLog.DeviceVendor == ""Contrast Security"" | _Computed.Outcome in ""BLOCKED,EXPLOITED,SUSPICIOUS"" | _Computed.Outcome != ""success""","","","Solution","","","","","false","Contrast Protect","Contrast Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast%20Protect","false" "c1c6ba64-134e-403b-b9a6-1bebc90809a4","Contrast ADR - EDR Alert Correlation","analytic_rule","'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'","Contrast_ADR_Confirmed_EDR.yaml","","","Medium","Available","Scheduled","Execution,DefenseEvasion,InitialAccess,CommandAndControl","T1059,T1055,T1190,T1008","ContrastADRCCF","has_query","","","","","","Solution","","","","","false","ContrastADR","ContrastADR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR","true" "93641436-afb3-4921-8828-ceab0d15aaab","Contrast ADR - WAF Alert Correlation","analytic_rule","'Correlates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring.'","Contrast_ADR_Confirmed_WAF.yaml","","","Medium","Available","Scheduled","InitialAccess,DefenseEvasion,CommandAndControl","T1190,T1211,T1008","ContrastADRCCF","has_query","","","","","","Solution","","","","","false","ContrastADR","ContrastADR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR","true" "ae4f67a6-0713-4a26-ae61-284e67b408c1","Contrast ADR - Exploited Attack Event","analytic_rule","'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'","Contrast_ADR_Exploited_Attack_Event.yaml","","","High","Available","Scheduled","InitialAccess,Execution,DefenseEvasion,LateralMovement,CommandAndControl","T1190,T1059,T1055,T1210,T1008","ContrastADRCCF","has_query","","","","","","Solution","","","","","false","ContrastADR","ContrastADR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR","true" @@ -1268,7 +1273,7 @@ "40a61269-9d21-41ac-b5ae-d741e4a4ecde","CyberArkEPM","parser","","CyberArkEPM.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","CyberArkEPM","CyberArkEPM","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM","true" "fb127436-e5c4-4e31-85a8-d3507128dd09","CMMC 2.0 Level 1 (Foundational) Readiness Posture","analytic_rule","'CMMC 2.0 Level 1 (Foundational) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'","CMMC2.0Level1FoundationalPosture.yaml","","","Medium","Available","Scheduled","Discovery","T1082","","has_query","","","_Computed.Level == ""Level 1: Foundational""","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" "7bfe573b-3069-4e81-98fe-9a4cffbcbc24","CMMC 2.0 Level 2 (Advanced) Readiness Posture","analytic_rule","'CMMC 2.0 Level 2 (Advanced) assessments have deviated from configured threshold baselines. This alert is triggered when CMMC2.0 policy compliance is assessed below 70% compliance in 7 days.'","CMMC2.0Level2AdvancedPosture.yaml","","","Medium","Available","Scheduled","Discovery","T1082","","has_query","","","_Computed.Level == ""Level 2: Advanced""","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" -"","CybersecurityMaturityModelCertification_CMMCV2","workbook","","CybersecurityMaturityModelCertification_CMMCV2.json","","","","","","","","","has_query","","","AzureActivity.OperationName in ""Add member to role,Add user,NetworkSecurityGroupEvents,Reset user password,Update user"" | AzureActivity.OperationName contains ""Add"" | AzureActivity.OperationName contains ""Audit"" | AzureActivity.OperationName contains ""Change"" | AzureActivity.OperationName contains ""Create"" | AzureActivity.OperationName contains ""Delete"" | AzureActivity.OperationName contains ""Log"" | AzureActivity.OperationName contains ""Monitor"" | AzureActivity.OperationName contains ""PIM"" | AzureActivity.OperationName contains ""Remove"" | AzureActivity.OperationName contains ""Update"" | AzureActivity.OperationName contains ""Write"" | AzureActivity.OperationName contains ""reset"" | AzureActivity.OperationNameValue contains ""Insights"" | AzureDiagnostics.Category == ""AzureFirewallApplicationRule"" | DeviceEvents.ActionType in ""Add member to role,Add user,FileCreated,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user,UsbDriveMounted"" | Event.RenderedDescription contains ""Hello"" | OfficeActivity.RecordType == ""MicrosoftTeams"" | SecurityAlert.ProductName == ""Microsoft 365 Insider Risk Management"" | SecurityBaseline.AnalyzeResult in ""Failed,Passed"" | SecurityRecommendation.RecommendationState in ""Healthy,Unhealthy"" | SigninLogs.AuthenticationRequirement == ""multiFactorAuthentication"" | _Computed.AssignedRoles contains ""Admin"" | _Computed.AssignedRoles contains ""Owner"" | _Computed.AssignedRoles contains ""Security Administrator"" | _Computed.AssignedRoles contains ""Security Contributor"" | _Computed.AssignedRoles contains ""admin"" | _Computed.AssignedRoles contains ""owner"" | _Computed.FailureReason contains ""User did not pass the MFA"" | _Computed.Groups contains ""admin"" | _Computed.Groups contains ""security"" | _Computed.OperatingSystem contains ""Android"" | _Computed.OperatingSystem contains ""iOS"" | _Computed.RecommendationName !contains ""Email"" | _Computed.RecommendationName !contains ""security group"" | _Computed.RecommendationName contains ""EDR"" | _Computed.RecommendationName contains ""MFA"" | _Computed.RecommendationName contains ""access"" | _Computed.RecommendationName contains ""accessible"" | _Computed.RecommendationName contains ""account"" | _Computed.RecommendationName contains ""audit"" | _Computed.RecommendationName contains ""back"" | _Computed.RecommendationName contains ""cert"" | _Computed.RecommendationName contains ""comm"" | _Computed.RecommendationName contains ""config"" | _Computed.RecommendationName contains ""crypt"" | _Computed.RecommendationName contains ""data"" | _Computed.RecommendationName contains ""defender"" | _Computed.RecommendationName contains ""disable"" | _Computed.RecommendationName contains ""endpoint protect"" | _Computed.RecommendationName contains ""firewall"" | _Computed.RecommendationName contains ""group"" | _Computed.RecommendationName contains ""http"" | _Computed.RecommendationName contains ""internet"" | _Computed.RecommendationName contains ""key"" | _Computed.RecommendationName contains ""log"" | _Computed.RecommendationName contains ""malware"" | _Computed.RecommendationName contains ""member"" | _Computed.RecommendationName contains ""network"" | _Computed.RecommendationName contains ""owner"" | _Computed.RecommendationName contains ""password"" | _Computed.RecommendationName contains ""port"" | _Computed.RecommendationName contains ""priv"" | _Computed.RecommendationName contains ""private"" | _Computed.RecommendationName contains ""protocol"" | _Computed.RecommendationName contains ""region"" | _Computed.RecommendationName contains ""rest"" | _Computed.RecommendationName contains ""session"" | _Computed.RecommendationName contains ""signature"" | _Computed.RecommendationName contains ""sql"" | _Computed.RecommendationName contains ""stor"" | _Computed.RecommendationName contains ""tls"" | _Computed.RecommendationName contains ""transit"" | _Computed.RecommendationName contains ""update"" | _Computed.RecommendationName contains ""upgrade"" | _Computed.RecommendationName contains ""user"" | _Computed.RecommendationName contains ""virus"" | _Computed.RecommendationName contains ""vuln"" | _Computed.RecommendationName contains ""web"" | _Computed.Roles contains ""admin"" | _Computed.Roles contains ""security"" | _Computed.Tactics contains ""exfil"" | _Computed.assessmentKey == ""1195afff-c881-495e-9bc5-1486211ae03f"" | _Computed.complianceStandardId == ""NIST SP 800 171 R2"" | _Computed.complianceState == ""Passed"" | _Computed.resourceSource in~ ""aws,gcp"" | _Computed.severity == ""High"" | _Computed.state in ""Healthy,Unhealthy""","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" +"","CybersecurityMaturityModelCertification_CMMCV2","workbook","","CybersecurityMaturityModelCertification_CMMCV2.json","","","","","","","","","has_query","","","AuditLogs.OperationName in ""Add member to role,Add user,NetworkSecurityGroupEvents,Reset user password,Update user"" | AuditLogs.OperationName contains ""Add"" | AuditLogs.OperationName contains ""Audit"" | AuditLogs.OperationName contains ""Change"" | AuditLogs.OperationName contains ""Create"" | AuditLogs.OperationName contains ""Delete"" | AuditLogs.OperationName contains ""Log"" | AuditLogs.OperationName contains ""Monitor"" | AuditLogs.OperationName contains ""PIM"" | AuditLogs.OperationName contains ""Remove"" | AuditLogs.OperationName contains ""Update"" | AuditLogs.OperationName contains ""Write"" | AuditLogs.OperationName contains ""reset"" | AzureActivity.OperationNameValue contains ""Insights"" | AzureDiagnostics.Category == ""AzureFirewallApplicationRule"" | DeviceEvents.ActionType in ""Add member to role,Add user,FileCreated,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user,UsbDriveMounted"" | Event.RenderedDescription contains ""Hello"" | OfficeActivity.RecordType == ""MicrosoftTeams"" | SecurityAlert.ProductName == ""Microsoft 365 Insider Risk Management"" | SecurityBaseline.AnalyzeResult in ""Failed,Passed"" | SecurityRecommendation.RecommendationState in ""Healthy,Unhealthy"" | SigninLogs.AuthenticationRequirement == ""multiFactorAuthentication"" | _Computed.AssignedRoles contains ""Admin"" | _Computed.AssignedRoles contains ""Owner"" | _Computed.AssignedRoles contains ""Security Administrator"" | _Computed.AssignedRoles contains ""Security Contributor"" | _Computed.AssignedRoles contains ""admin"" | _Computed.AssignedRoles contains ""owner"" | _Computed.FailureReason contains ""User did not pass the MFA"" | _Computed.Groups contains ""admin"" | _Computed.Groups contains ""security"" | _Computed.OperatingSystem contains ""Android"" | _Computed.OperatingSystem contains ""iOS"" | _Computed.Roles contains ""admin"" | _Computed.Roles contains ""security"" | _Computed.Tactics contains ""exfil"" | _Computed.assessmentKey == ""1195afff-c881-495e-9bc5-1486211ae03f"" | _Computed.complianceStandardId == ""NIST SP 800 171 R2"" | _Computed.complianceState == ""Passed"" | _Computed.recommendationName !contains ""Email"" | _Computed.recommendationName !contains ""security group"" | _Computed.recommendationName contains ""EDR"" | _Computed.recommendationName contains ""MFA"" | _Computed.recommendationName contains ""access"" | _Computed.recommendationName contains ""accessible"" | _Computed.recommendationName contains ""account"" | _Computed.recommendationName contains ""audit"" | _Computed.recommendationName contains ""back"" | _Computed.recommendationName contains ""cert"" | _Computed.recommendationName contains ""comm"" | _Computed.recommendationName contains ""config"" | _Computed.recommendationName contains ""crypt"" | _Computed.recommendationName contains ""data"" | _Computed.recommendationName contains ""defender"" | _Computed.recommendationName contains ""disable"" | _Computed.recommendationName contains ""endpoint protect"" | _Computed.recommendationName contains ""firewall"" | _Computed.recommendationName contains ""group"" | _Computed.recommendationName contains ""http"" | _Computed.recommendationName contains ""internet"" | _Computed.recommendationName contains ""key"" | _Computed.recommendationName contains ""log"" | _Computed.recommendationName contains ""malware"" | _Computed.recommendationName contains ""member"" | _Computed.recommendationName contains ""network"" | _Computed.recommendationName contains ""owner"" | _Computed.recommendationName contains ""password"" | _Computed.recommendationName contains ""port"" | _Computed.recommendationName contains ""priv"" | _Computed.recommendationName contains ""private"" | _Computed.recommendationName contains ""protocol"" | _Computed.recommendationName contains ""region"" | _Computed.recommendationName contains ""rest"" | _Computed.recommendationName contains ""session"" | _Computed.recommendationName contains ""signature"" | _Computed.recommendationName contains ""sql"" | _Computed.recommendationName contains ""stor"" | _Computed.recommendationName contains ""tls"" | _Computed.recommendationName contains ""transit"" | _Computed.recommendationName contains ""update"" | _Computed.recommendationName contains ""upgrade"" | _Computed.recommendationName contains ""user"" | _Computed.recommendationName contains ""virus"" | _Computed.recommendationName contains ""vuln"" | _Computed.recommendationName contains ""web"" | _Computed.resourceSource in~ ""aws,gcp"" | _Computed.severity == ""High"" | _Computed.state in ""Healthy,Unhealthy""","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" "","Create-AzureDevOpsTask","playbook","This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.","Create-AzureDevOpsTask-CMMCV2/Open_DevOpsTaskRecommendation.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" "","Create Jira Issue","playbook","This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.","CreateJiraIssue-CMMCV2/Open_JIRATicketRecommendation.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" "","Notify_GovernanceComplianceTeam","playbook","This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.","Notify_GovernanceComplianceTeam-CMMCV2/Notify_GovernanceComplianceTeam.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","CybersecurityMaturityModelCertification(CMMC)2.0","CybersecurityMaturityModelCertification(CMMC)2.0","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CybersecurityMaturityModelCertification%28CMMC%292.0","true" @@ -1507,7 +1512,7 @@ "422ca2bf-598b-4872-82bb-5f7e8fa731e7","Dev-0270 Malicious Powershell usage","analytic_rule","'DEV-0270 heavily uses powershell to achieve their objective at various stages of their attack. To locate powershell related activity tied to the actor, Microsoft Sentinel customers can run the following query.'","Dev-0270PowershellSep2022.yaml","","","High","Available","Scheduled","Exfiltration,DefenseEvasion","T1048,T1562","SecurityEvents,WindowsSecurityEvents,MicrosoftThreatProtection","has_query","","","_Computed.FileName =~ ""powershell.exe"" | _Computed.InitiatingProcessFileName =~ ""powershell.exe""","","","Solution","","","","","false","Dev 0270 Detection and Hunting","Dev 0270 Detection and Hunting","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev%200270%20Detection%20and%20Hunting","true" "2566e99f-ad0f-472a-b9ac-d3899c9283e6","Dev-0270 Registry IOC - September 2022","analytic_rule","'The query below identifies modification of registry by Dev-0270 actor to disable security feature as well as to add ransom notes'","Dev-0270RegistryIOCSep2022.yaml","","","High","Available","Scheduled","Impact","T1486","SecurityEvents,WindowsSecurityEvents,MicrosoftThreatProtection","has_query","","","","","","Solution","","","","","false","Dev 0270 Detection and Hunting","Dev 0270 Detection and Hunting","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev%200270%20Detection%20and%20Hunting","true" "6b652b4f-9810-4eec-9027-7aa88ce4db23","Dev-0270 WMIC Discovery","analytic_rule","'The query below identifies dllhost.exe using WMIC to discover additional hosts and associated domains in the environment.'","Dev-0270WMICDiscoverySep2022.yaml","","","High","Available","Scheduled","Discovery","T1482","SecurityEvents,WindowsSecurityEvents,MicrosoftThreatProtection","has_query","","","","","","Solution","","","","","false","Dev 0270 Detection and Hunting","Dev 0270 Detection and Hunting","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Dev%200270%20Detection%20and%20Hunting","true" -"afe13b7c-test-11ec-8d3d-0242ac130003","test","hunting_query","'test'","Empty.yaml","","","Test","","","Test","T1190,T1133","test","has_query","","","","","","Solution","","","","","false","DEV-0537DetectionandHunting","DEV-0537DetectionandHunting","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DEV-0537DetectionandHunting","true" +"afe13b7c-test-11ec-8d3d-0242ac130003","test","hunting_query","'test'","Empty.yaml","","","Test","","","Test","T1190,T1133","test","has_query","","","","","","Solution","","","","","false","DEV-0537DetectionandHunting","DEV-0537DetectionandHunting","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/DEV-0537DetectionandHunting","false" "b52cda18-c1af-40e5-91f3-1fcbf9fa267e","Digital Guardian - Sensitive data transfer over insecure channel","analytic_rule","'Detects sensitive data transfer over insecure channel.'","DigitalGuardianClassifiedDataInsecureTransfer.yaml","","","Medium","Available","Scheduled","Exfiltration","T1048","SyslogAma","has_query","","","","","","Solution","","","","","false","Digital Guardian Data Loss Prevention","Digital Guardian Data Loss Prevention","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention","true" "39e25deb-49bb-4cdb-89c1-c466d596e2bd","Digital Guardian - Exfiltration using DNS protocol","analytic_rule","'Detects exfiltration using DNS protocol.'","DigitalGuardianExfiltrationOverDNS.yaml","","","High","Available","Scheduled","Exfiltration","T1048","SyslogAma","has_query","","","","","","Solution","","","","","false","Digital Guardian Data Loss Prevention","Digital Guardian Data Loss Prevention","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention","true" "f7b6ddef-c1e9-46f0-8539-dbba7fb8a5b8","Digital Guardian - Exfiltration to online fileshare","analytic_rule","'Detects exfiltration to online fileshare.'","DigitalGuardianExfiltrationToFileShareServices.yaml","","","High","Available","Scheduled","Exfiltration","T1048","SyslogAma","has_query","","","","","","Solution","","","","","false","Digital Guardian Data Loss Prevention","Digital Guardian Data Loss Prevention","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Digital%20Guardian%20Data%20Loss%20Prevention","true" @@ -1640,14 +1645,14 @@ "","Fetch User Details From Entrust","playbook","This playbook provides the user essential details in comments section of triggered incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity","EntrustPlaybooks/Entrust-EnrichIncidentWithUserDetails/azuredeploy.json","EntrustPlaybooks/Entrust-EnrichIncidentWithUserDetails/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Entrust identity as Service","Entrust identity as Service","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Entrust%20identity%20as%20Service","true" "","Fetch IP Details From Entrust - Entity","playbook","This playbook provides the IP details of user authentication and management activity in comments section of incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity","EntrustPlaybooks/Entrust-EnrichIP-EntityTrigger/azuredeploy.json","EntrustPlaybooks/Entrust-EnrichIP-EntityTrigger/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Entrust identity as Service","Entrust identity as Service","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Entrust%20identity%20as%20Service","true" "","Fetch User Details From Entrust - Entity","playbook","This playbook provides the user essential details in comments section of incident so that SOC analysts can directly take corrective measure to stop the attack from unknown/compromised entity","EntrustPlaybooks/Entrust-EnrichUser-EntityTrigger/azuredeploy.json","EntrustPlaybooks/Entrust-EnrichUser-EntityTrigger/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Entrust identity as Service","Entrust identity as Service","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Entrust%20identity%20as%20Service","true" -"b0f36d45-4e08-4764-9200-4c5f7d706bb2","ESETProtectPlatform","parser","","ESETProtectPlatform.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","ESET Protect Platform","ESET Protect Platform","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform","false" +"b0f36d45-4e08-4764-9200-4c5f7d706bb2","ESETProtectPlatform","parser","","ESETProtectPlatform.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","ESET Protect Platform","ESET Protect Platform","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform","true" "84ad2f8a-b64c-49bc-b669-bdb4fd3071e9","Web sites blocked by Eset","analytic_rule","'Create alert on web sites blocked by Eset.'","eset-sites-blocked.yaml","","","Low","Available","Scheduled","Exfiltration,CommandAndControl,InitialAccess","T1189,T1567,T1071.001","EsetSMC","has_query","","","","","","Solution","","","","","false","Eset Security Management Center","Eset Security Management Center","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset%20Security%20Management%20Center","false" "2d8a60aa-c15e-442e-9ce3-ee924889d2a6","Threats detected by Eset","analytic_rule","'Escalates threats detected by Eset.'","eset-threats.yaml","","","Low","Available","Scheduled","Execution,CredentialAccess,PrivilegeEscalation","T1204,T1212,T1548","EsetSMC","has_query","","","","","","Solution","","","","","false","Eset Security Management Center","Eset Security Management Center","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset%20Security%20Management%20Center","false" "","esetSMCWorkbook","workbook","","esetSMCWorkbook.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Eset Security Management Center","Eset Security Management Center","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset%20Security%20Management%20Center","false" -"64badfab-1dd8-4491-927b-3ca206fa9a17","Threats detected by ESET","analytic_rule","'Escalates threats detected by ESET.'","ESETThreatDetected.yaml","","","Low","","Scheduled","Execution","T1204","ESETPROTECT,SyslogAma","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","true" -"7b84fc5b-9ffb-4e9b-945b-5d480e330b3f","Website blocked by ESET","analytic_rule","'Create alert on websites blocked by ESET.'","ESETWebsiteBlocked.yaml","","","Low","","Scheduled","Exfiltration,CommandAndControl,InitialAccess","T1041,T1071,T1189,T1566","ESETPROTECT,SyslogAma","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","true" -"","ESETPROTECT","workbook","","ESETPROTECT.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","true" -"f54b254b-6ec6-4509-be49-e1df76e323c1","ESETPROTECT","parser","","ESETPROTECT.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","true" +"64badfab-1dd8-4491-927b-3ca206fa9a17","Threats detected by ESET","analytic_rule","'Escalates threats detected by ESET.'","ESETThreatDetected.yaml","","","Low","","Scheduled","Execution","T1204","ESETPROTECT,SyslogAma","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","false" +"7b84fc5b-9ffb-4e9b-945b-5d480e330b3f","Website blocked by ESET","analytic_rule","'Create alert on websites blocked by ESET.'","ESETWebsiteBlocked.yaml","","","Low","","Scheduled","Exfiltration,CommandAndControl,InitialAccess","T1041,T1071,T1189,T1566","ESETPROTECT,SyslogAma","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","false" +"","ESETPROTECT","workbook","","ESETPROTECT.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","false" +"f54b254b-6ec6-4509-be49-e1df76e323c1","ESETPROTECT","parser","","ESETPROTECT.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","ESETPROTECT","ESETPROTECT","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT","false" "5447ecc5-6e87-4812-a5a1-8e0d366597c2","ExabeamEvent","parser","","ExabeamEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Exabeam Advanced Analytics","Exabeam Advanced Analytics","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Exabeam%20Advanced%20Analytics","true" "cd65aebc-7e85-4cbb-9f91-ff0376c5d37d","Generate alerts based on ExtraHop detections recommended for triage","analytic_rule","'This analytics rule will generate alerts in Microsoft Sentinel for detections from ExtraHop that are recommended for triage.'","ExtraHopSentinelAlerts.yaml","","","Medium","Available","Scheduled","Persistence","T1546","ExtraHop","has_query","","","","","","Solution","","","","","false","ExtraHop","ExtraHop","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop","true" "","ExtraHopDetectionsOverview","workbook","","ExtraHopDetectionsOverview.json","","","","","","","","","has_query","","","SecurityAlert.ProductName == ""ExtraHop"" | _Computed.Entity_Type in ""SrvSvcSessionEntry,account,alerts,azure-resource,cloud-application,dns,file,filehash,host,host-logon-session,ip,malware,network-connection,process,registry-key,registry-value,security-group,url""","","","Solution","","","","","false","ExtraHop","ExtraHop","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ExtraHop","true" @@ -1666,7 +1671,7 @@ "8df80270-b4fa-4a7a-931e-8d17c0b321ae","Access Token Manipulation - Create Process with Token","analytic_rule","This query detects the use of the 'runas' command and checks whether the account used to elevate privileges isn't the user's own admin account. Additionally, it will match this event to the logon events - to check whether it has been successful as well as augment the event with the new SID.","CreateProcessWithToken.yaml","","","Medium","Available","Scheduled","PrivilegeEscalation,DefenseEvasion","T1134.002","MicrosoftThreatProtection","has_query","","","","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" "d58035ff-0bac-4c61-a7f4-f58939ff9764","DCOM Lateral Movement","analytic_rule","This detection looks for cases of close-time proximity between incoming network traffic on RPC/TCP, followed by the creation of a DCOM object, followed by the creation of a child process of the DCOM object. The query first identifies incoming network traffic over RPC/TCP, followed by the creation of a DCOM object (process) within 2 seconds, followed by the creation of a child process of this DCOM object.","DCOMLateralMovement.yaml","","","Medium","Available","Scheduled","LateralMovement","T1021.003","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.ActionType != ""ListeningConnectionCreated"" | DeviceProcessEvents.InitiatingProcessParentFileName =~ ""svchost.exe""","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" "20d52a04-b5d8-402d-88e2-7929d12cbdcd","Disable or Modify Windows Defender","analytic_rule","This detection watches the commandline logs for known commands that are used to disable the Defender AV. This is based on research performed by @olafhartong on a large sample of malware for varying purposes. Note that this detection is imperfect and is only meant to serve as basis for building a more resilient detection rule. Make the detection more resilient, currently the order of parameters matters. You don't want that for a production rule. See blogpost (https://medium.com/falconforce/falc","DisableOrModifyWindowsDefender.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562.001","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.InitiatingProcessVersionInfoProductName !~ ""Android Studio""","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" -"3084b487-fad6-4000-9544-6085b9657290","Hijack Execution Flow - DLL Side-Loading","analytic_rule","This detection tries to identify all DLLs loaded by ""high integrity"" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by ""NT Authoriy\System"" and the ""RID 500"" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token eleva","DLLSideLoading.yaml","","","Medium","Available","Scheduled","Persistence,PrivilegeEscalation,DefenseEvasion","T1574.002","MicrosoftThreatProtection","has_query","","","DeviceImageLoadEvents.ActionType in ""FileCreated,FileModified""","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" +"3084b487-fad6-4000-9544-6085b9657290","Hijack Execution Flow - DLL Side-Loading","analytic_rule","This detection tries to identify all DLLs loaded by ""high integrity"" processes and cross-checks the DLL paths against FileCreate/FileModify events of the same DLL by a medium integrity process. Of course, we need to do some magic to filter out false positives as much as possible. So any FileCreate/FileModify done by ""NT Authoriy\System"" and the ""RID 500"" users aren't interesting. Also, we only want to see the FileCreate/FileModify actions which are performed with a default or limited token eleva","DLLSideLoading.yaml","","","Medium","Available","Scheduled","Persistence,PrivilegeEscalation,DefenseEvasion","T1574.002","MicrosoftThreatProtection","has_query","","","DeviceFileEvents.ActionType in ""FileCreated,FileModified""","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" "9f921513-65f3-48a2-ae7d-326c5901c55e","Detect .NET runtime being loaded in JScript for code execution","analytic_rule","This query detects .NET being loaded from wscript or cscript to run .NET code, such as cactustorch and sharpshooter. All based on the DotNetToJScript by James Foreshaw documented here https://github.com/tyranid/DotNetToJScript.","DotNetToJScript.yaml","","","Medium","Available","Scheduled","Execution","T1204","MicrosoftThreatProtection","has_query","","","","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" "aba0b08c-aace-40c5-a21d-39153023dcaa","Excessive share permissions","analytic_rule","The query searches for event 5143, which is triggered when a share is created or changed and includes de share permissions. First it checks to see if this is a whitelisted share for the system (e.g. domaincontroller netlogon, printserver print$ etc.). The share permissions are then checked against 'allow' rule (A) for a number of well known overly permissive groups, like all users, guests, authenticated users etc. If these are found, an alert is raised so the share creation may be audited. Note:","ExcessiveSharePermissions.yaml","","","Medium","Available","Scheduled","Collection,Discovery","T1039,T1135","SecurityEvents,WindowsSecurityEvents","has_query","","","SecurityEvent.EventID == ""5143"" | _Computed.DACLS startswith ""A;""","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" "433c3b0a-7278-4d74-b137-963ac6f9a7e7","Expired access credentials being used in Azure","analytic_rule","This query searches for logins with an expired access credential (for example an expired cookie). It then matches the IP address from which the expired credential access occurred with the IP addresses of successful logins. If there are logins with expired credentials, but no successful logins from an IP, this might indicate an attacker has copied the authentication cookie and is re-using it on another machine.","ExpiredAccessCredentials.yaml","","","Medium","Available","Scheduled","CredentialAccess","T1528","AzureActiveDirectory","has_query","","","","","","Solution","","","","","false","FalconFriday","FalconFriday","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FalconFriday","true" @@ -1689,6 +1694,8 @@ "","DNSDB_Co_Located_IP_Address","playbook","author: Henry Stern, Farsight Security, Inc.","DNSDB_Co_Located_IP_Address/azuredeploy.json","DNSDB_Co_Located_IP_Address/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","true","Farsight DNSDB","Farsight DNSDB","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Farsight%20DNSDB","true" "","DNSDB_Historical_Address","playbook","author: Henry Stern, Farsight Security, Inc.","DNSDB_Historical_Address/azuredeploy.json","DNSDB_Historical_Address/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","true","Farsight DNSDB","Farsight DNSDB","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Farsight%20DNSDB","true" "","DNSDB_Historical_Hosts","playbook","author: Henry Stern, Farsight Security, Inc.","DNSDB_Historical_Hosts/azuredeploy.json","DNSDB_Historical_Hosts/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","true","Farsight DNSDB","Farsight DNSDB","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Farsight%20DNSDB","true" +"6d2d6b3f-7d7b-4d4a-9b2b-9f7f3b8c2a11","Field Effect MDR Alert: ARO Alert","analytic_rule","Creates an incident for each Field Effect MDR ARO alert ingested into the workspace.","AROAlert.yaml","","","Medium","Available","Scheduled","Execution,DefenseEvasion","T1059,T1562","FieldEffectCCF","has_query","","","","","","Solution","","","","","false","FieldEffectMDR","FieldEffectMDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR","false" +"1f5d3d5b-3b7b-4c31-9f8d-2e9b7c8c1c2a","FieldEffect","parser","","FieldEffect.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","FieldEffectMDR","FieldEffectMDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/FieldEffectMDR","false" "9b784b65-2d16-4c9f-9f59-2a5d4c659f42","Filewall - Blocked emails","analytic_rule","Identifies emails blocked by Filewall for Microsoft 365 (Exchange).","BlockedEmails.yaml","","","High","Available","Scheduled","Exfiltration","T1048","FilewallM365","has_query","ODI-X","Filewall for Microsoft 365","","","","Solution","","","","","false","Filewall for Microsoft 365","Filewall for Microsoft 365","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall%20for%20Microsoft%20365","false" "86e7f6fd-5c29-4a3a-bced-3eca3fb0c621","Filewall - Blocked files","analytic_rule","Identifies files blocked by Filewall for Microsoft 365 (SharePoint/OneDrive/Teams).","BlockedFiles.yaml","","","High","Available","Scheduled","Exfiltration","T1048","FilewallM365","has_query","ODI-X","Filewall for Microsoft 365","","","","Solution","","","","","false","Filewall for Microsoft 365","Filewall for Microsoft 365","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall%20for%20Microsoft%20365","false" "","FilewallM365Overview","workbook","","FilewallM365Overview.json","","","","","","","","","has_query","","","_Computed.size_unit in~ ""B,GB,KB,MB""","","","Solution","","","","","false","Filewall for Microsoft 365","Filewall for Microsoft 365","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Filewall%20for%20Microsoft%20365","false" @@ -1880,6 +1887,11 @@ "","Google Directory - Enrich Incident With User Info","playbook","Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. [Obtains information about user.](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/get) 3. Enriches the incident with the obtained info.","Playbooks/Google-EnrichIncidentWithUserInfo/azuredeploy.json","Playbooks/Google-EnrichIncidentWithUserInfo/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","GoogleDirectory","GoogleDirectory","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleDirectory","true" "","Google Directory - Sign Out User","playbook","Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. [Signs out users.](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut) 3. Adds comment to the incident about signed out users.","Playbooks/Google-SignOutUser/azuredeploy.json","Playbooks/Google-SignOutUser/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","GoogleDirectory","GoogleDirectory","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleDirectory","true" "","Google Directory - Suspend User","playbook","Once a new Microsoft Sentinel incident is created, this playbook gets triggered and performs the following actions: 1. Gets users from the incident. 2. Sends an adaptive card to the Teams channel where the analyst can choose users to suspend. 3. Suspends users. 4. Adds comment to the incident about suspended users.","Playbooks/Google-SuspendUser/azuredeploy.json","Playbooks/Google-SuspendUser/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","GoogleDirectory","GoogleDirectory","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleDirectory","true" +"f6b0c254-8f7d-4a1b-d5c2-0e4a6b9f2d8a","Google SecOps - Detection Alerts","analytic_rule","Creates one incident per active Google Security Operations detection alert in Microsoft Sentinel. Covers all rule types and severity levels with no additional filtering, providing broad visibility across all Google SecOps alerts. Use alongside focused rules for complete detection coverage.","GoogleSecOps-DetectionAlerts.yaml","","","Medium","Available","Scheduled","InitialAccess,DefenseEvasion,LateralMovement,PrivilegeEscalation,CommandAndControl","T1078,T1021,T1566","GSDetectionAlerts","has_query","","","","","","Solution","","","","","false","GoogleSecOps","GoogleSecOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps","false" +"b3e7f921-5c4a-4d8e-a2f9-7b1d3e6c9a5f","Google SecOps - GCTI Threat Intelligence Finding","analytic_rule","Creates incidents in Microsoft Sentinel when Google Security Operations raises an active threat intelligence alert (GCTI_FINDING). These alerts are generated by Google's global threat intel corpus and represent high-confidence threats, distinct from customer-authored rule detections.","GoogleSecOps-GCTIThreatIntelligenceFinding.yaml","","","High","Available","Scheduled","InitialAccess,Execution,CommandAndControl,Exfiltration","T1078,T1566,T1071,T1048","GSDetectionAlerts","has_query","","","","","","Solution","","","","","false","GoogleSecOps","GoogleSecOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps","false" +"d4f8a032-6d5b-4e9f-b3a0-8c2e4f7d0b6e","Google SecOps - Multi-Event Correlated Alert","analytic_rule","Creates incidents in Microsoft Sentinel when Google Security Operations raises an active multi-event correlated alert (MULTI_EVENT, riskScore gte 40) at HIGH or CRITICAL severity. These alerts indicate complex attack patterns like lateral movement, staged persistence, or command-and-control identified by correlating multiple signals across a time window.","GoogleSecOps-MultiEventCorrelatedAlert.yaml","","","High","Available","Scheduled","LateralMovement,Persistence,PrivilegeEscalation,CommandAndControl","T1210,T1021,T1053,T1055","GSDetectionAlerts","has_query","","","","","","Solution","","","","","false","GoogleSecOps","GoogleSecOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps","false" +"e5a9b143-7e6c-4f0a-c4b1-9d3f5a8e1c7f","Google SecOps - Single-Event Alert","analytic_rule","Creates incidents in Microsoft Sentinel when Google Security Operations raises an active single-event alert (SINGLE_EVENT, riskScore gte 40) at MEDIUM, HIGH, or CRITICAL severity. These alerts represent a single action like malware execution, credential abuse, or defense evasion severe enough to trigger an incident without requiring multi-signal correlation.","GoogleSecOps-SingleEventAlert.yaml","","","High","Available","Scheduled","Execution,CredentialAccess,DefenseEvasion,Impact","T1059,T1110,T1562,T1485","GSDetectionAlerts","has_query","","","","","","Solution","","","","","false","GoogleSecOps","GoogleSecOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps","false" +"a7c9d8f2-4e1b-4a2f-9c3d-5e8f7a2b9c1d","GoogleSecOpsDetectionAlerts","parser","","GoogleSecOpsDetectionAlerts.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","GoogleSecOps","GoogleSecOps","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleSecOps","false" "03f25156-6172-11ec-90d6-0242ac120003","GWorkspace - Admin permissions granted","analytic_rule","'Triggers on admin permissions granted.'","GWorkspaceAdminPermissionsGranted.yaml","","","High","Available","Scheduled","Persistence","T1098","GoogleWorkspaceReportsAPI","has_query","","","","","","Solution","","","","","false","GoogleWorkspaceReports","GoogleWorkspaceReports","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports","true" "e369d246-5da8-11ec-bf63-0242ac130002","GWorkspace - Alert events","analytic_rule","'Detects alert events.'","GWorkspaceAlertEvents.yaml","","","High","Available","Scheduled","InitialAccess","T1190,T1133","GoogleWorkspaceReportsAPI","has_query","","","","","","Solution","","","","","false","GoogleWorkspaceReports","GoogleWorkspaceReports","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports","true" "c45a9804-5da8-11ec-bf63-0242ac130002","GWorkspace - API Access Granted","analytic_rule","'Triggers when API Access has been granted to a new client.'","GWorkspaceApiAccessToNewClient.yaml","","","Medium","Available","Scheduled","DefenseEvasion,LateralMovement","T1550","GoogleWorkspaceReportsAPI","has_query","","","","","","Solution","","","","","false","GoogleWorkspaceReports","GoogleWorkspaceReports","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports","true" @@ -1962,11 +1974,11 @@ "","HYASInsight Enrich Incident By SinkHole Information","playbook","This playbook enriches ip addresses asscociated with an incident with by sinkhole information.","HYAS-Insight-IP-Sinkhole-Data/azuredeploy.json","HYAS-Insight-IP-Sinkhole-Data/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","HYAS","HYAS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS","true" "","HYASInsight Enrich Incident By SSL Certificate Information","playbook","This playbook enriches ip addresses asscociated with an incident with by ssl certificate information.","HYAS-Insight-IP-SSL-Certificate-Data/azuredeploy.json","HYAS-Insight-IP-SSL-Certificate-Data/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","HYAS","HYAS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS","true" "","HYASInsight Enrich Incident By WHOIS Info","playbook","This playbook enriches phone numbers asscociated with an incident with WHOIS information.","HYAS-Insight-PhoneNumber-Whois-Data/azuredeploy.json","HYAS-Insight-PhoneNumber-Whois-Data/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","HYAS","HYAS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS","true" -"6e70b2c1-202d-4805-bddc-f0e08ef0fc4d","HYASProtectDNS","parser","","HYASProtectDNS.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","HYAS Protect","HYAS Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS%20Protect","true" +"6e70b2c1-202d-4805-bddc-f0e08ef0fc4d","HYASProtectDNS","parser","","HYASProtectDNS.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","HYAS Protect","HYAS Protect","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/HYAS%20Protect","false" "","ibossMalwareAndC2","workbook","","ibossMalwareAndC2.json","","","","","","","","","has_query","","","_Computed.CNCDetected == ""1"" | _Computed.MalwareDetected == ""1""","","","Solution","","","","","false","iboss","iboss","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/iboss","true" "","ibossWebUsage","workbook","","ibossWebUsage.json","","","","","","","","","has_query","","","_Computed.UrlCategory != ""-""","","","Solution","","","","","false","iboss","iboss","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/iboss","true" "0902cd9b-3b2b-4ad4-a480-e5e960b6a77d","ibossUrlEvent","parser","","ibossUrlEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","iboss","iboss","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/iboss","true" -"1c0eafd3-9b95-4bad-bf1c-28a0d0145e42","IllumioCoreEvent","parser","","IllumioCoreEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Illumio Core","Illumio Core","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Core","true" +"1c0eafd3-9b95-4bad-bf1c-28a0d0145e42","IllumioCoreEvent","parser","","IllumioCoreEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Illumio Core","Illumio Core","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Illumio%20Core","false" "b3c4b8f4-c12c-471e-9999-023c05852276","Illumio VEN Clone Detection Rule","analytic_rule","'Create Microsoft Sentinel Incident When A Cloned Ven Is Detected'","Illumio_VEN_Clone_Detection_Query.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562","IllumioSaaSDataConnector,SyslogAma","has_query","","","","","","Solution","","","","","false","IllumioSaaS","IllumioSaaS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS","true" "c18bd8c2-50f0-4aa2-8122-d449243627d7","Illumio VEN Deactivated Detection Rule","analytic_rule","'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'","Illumio_VEN_Deactivated_Query.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562","IllumioSaaSDataConnector,SyslogAma","has_query","","","","","","Solution","","","","","false","IllumioSaaS","IllumioSaaS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS","true" "599fdc92-eb6d-4b54-8d79-2a3f740a846a","Illumio Enforcement Change Analytic Rule","analytic_rule","'Create Microsoft Sentinel Incident When Ven Changes Enforcement State from Full/Selective To Idle/Visibility state'","Illumio_VEN_Enforcement_Change_Detection_Query.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562","IllumioSaaSDataConnector,SyslogAma","has_query","","","","","","Solution","","","","","false","IllumioSaaS","IllumioSaaS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IllumioSaaS","true" @@ -2036,27 +2048,27 @@ "e62fa1e8-d157-4ee5-bb43-4fe6ea504f2d","InfobloxInsightComments","parser","","InfobloxInsightComments.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Infoblox","Infoblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox","true" "3bf27a0c-7335-42d5-bc41-330456b4eec2","InfobloxInsightEvents","parser","","InfobloxInsightEvents.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Infoblox","Infoblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox","true" "f58f77a5-c803-444a-a836-fae65880ec5e","InfobloxInsightIndicators","parser","","InfobloxInsightIndicators.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Infoblox","Infoblox","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox","true" -"8db2b374-0337-49bd-94c9-cfbf8e5d83ad","Infoblox - Data Exfiltration Attack","analytic_rule","'Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-DataExfiltrationAttack.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"dc7af829-d716-4774-9d6f-03d9aa7c27a4","Infoblox - High Threat Level Query Not Blocked Detected","analytic_rule","'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"3822b794-fa89-4420-aad6-0e1a2307f419","Infoblox - Many High Threat Level Queries From Single Host Detected","analytic_rule","'At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"99278700-79ca-4b0f-b416-bf57ec699e1a","Infoblox - Many High Threat Level Single Query Detected","analytic_rule","'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"b2f34315-9065-488e-88d0-a171d2b0da8e","Infoblox - Many NXDOMAIN DNS Responses Detected","analytic_rule","'Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID == ""DNS Response""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"5b0864a9-4577-4087-b9fa-de3e14a8a999","Infoblox - TI - CommonSecurityLog Match Found - MalwareC2","analytic_rule","'CommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'","Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","ThreatIntelligence,CefAma","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"568730be-b39d-45e3-a392-941e00837d52","Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains","analytic_rule","'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","ThreatIntelligence,CefAma","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"28ee3c2b-eb4b-44de-a71e-e462843fea72","Infoblox - TI - Syslog Match Found - URL","analytic_rule","'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'","Infoblox-TI-SyslogMatchFound-URL.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","Syslog,ThreatIntelligence,CefAma","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","InfobloxCDCB1TDWorkbook","workbook","","InfobloxCDCB1TDWorkbook.json","","","","","","","","","has_query","","","CommonSecurityLog.DeviceEventClassID in ""DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"" | CommonSecurityLog.DeviceEventClassID has_cs ""DHCP"" | CommonSecurityLog.DeviceEventClassID has_cs ""DNS"" | CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import AISCOMM Weekly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all indicators from the AISCOMM data provider on a scheduled weekly basis.","Infoblox-Import-AISCOMM-Weekly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import Emails Weekly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected emails on a scheduled weekly basis.","Infoblox-Import-Emails-Weekly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import Hashes Weekly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected hashes on a scheduled weekly basis.","Infoblox-Import-Hashes-Weekly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import Hosts Daily Lookalike Domains","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Lookalike domains on a scheduled daily basis.","Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import Hosts Daily MalwareC2DGA","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected MalwareC2DGA domains on a scheduled daily basis.","Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import Hosts Daily Phishing","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Phishing domains on a scheduled daily basis.","Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import Hosts Hourly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected hosts on a scheduled hourly basis.","Infoblox-Import-Hosts-Hourly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import IPs Hourly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected IPs on a scheduled hourly basis.","Infoblox-Import-IPs-Hourly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Import URLs Hourly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected URLs on a scheduled hourly basis.","Infoblox-Import-URLs-Hourly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Incident Enrichment Domains","playbook","Leverages the Infoblox TIDE API to enrich Microsoft Sentinel incidents with detailed TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.","Infoblox-Incident-Enrichment-Domains/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"","Infoblox Incident Send Email","playbook","Sends a detailed email when an incident occurs. Optionally enriches an applicable entity within the email with Infoblox TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.","Infoblox-Incident-Send-Email/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" -"3815f65b-5c24-49ea-ac06-c24b4223a5b6","InfobloxCDC","parser","","InfobloxCDC.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","true" +"8db2b374-0337-49bd-94c9-cfbf8e5d83ad","Infoblox - Data Exfiltration Attack","analytic_rule","'Data exfiltration attack detected by Infoblox Threat Insight. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-DataExfiltrationAttack.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"dc7af829-d716-4774-9d6f-03d9aa7c27a4","Infoblox - High Threat Level Query Not Blocked Detected","analytic_rule","'At least 1 high threat level query generated by single host in 1 hour that is not blocked or redirected. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-HighThreatLevelQueryNotBlockedDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"3822b794-fa89-4420-aad6-0e1a2307f419","Infoblox - Many High Threat Level Queries From Single Host Detected","analytic_rule","'At least 200 high threat level queries generated by single host in 1 hour. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-ManyHighThreatLevelQueriesFromSingleHostDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"99278700-79ca-4b0f-b416-bf57ec699e1a","Infoblox - Many High Threat Level Single Query Detected","analytic_rule","'Single high threat level domain queried at least 200 times in 1 hour regardless of source. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-ManyHighThreatLevelSingleQueryDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"b2f34315-9065-488e-88d0-a171d2b0da8e","Infoblox - Many NXDOMAIN DNS Responses Detected","analytic_rule","'Detected at least 200 DNS responses for non-existent domains in 1 hour generated by single host. Queries do not need to be the same. Customize query count, scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-ManyNXDOMAINDNSResponsesDetected.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","CefAma","has_query","","","CommonSecurityLog.DeviceEventClassID == ""DNS Response""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"5b0864a9-4577-4087-b9fa-de3e14a8a999","Infoblox - TI - CommonSecurityLog Match Found - MalwareC2","analytic_rule","'CommonSecurityLog (CEF) MalwareC2/MalwareC2DGA match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'","Infoblox-TI-CommonSecurityLogMatchFound-MalwareC2.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","ThreatIntelligence,CefAma","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"568730be-b39d-45e3-a392-941e00837d52","Infoblox - TI - InfobloxCDC Match Found - Lookalike Domains","analytic_rule","'InfobloxCDC Lookalike Domain match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC**](https://aka.ms/sentinel-InfobloxCloudDataConnector-parser).'","Infoblox-TI-InfobloxCDCMatchFound-LookalikeDomains.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","ThreatIntelligence,CefAma","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"28ee3c2b-eb4b-44de-a71e-e462843fea72","Infoblox - TI - Syslog Match Found - URL","analytic_rule","'Syslog URL match found in your Infoblox TIDE Threat Intelligence. Customize query count, scheduling, responses and more. Modify data sources, types and threat properties as desired.'","Infoblox-TI-SyslogMatchFound-URL.yaml","","","Medium","Available","Scheduled","Impact","T1498,T1565","Syslog,ThreatIntelligence,CefAma","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","InfobloxCDCB1TDWorkbook","workbook","","InfobloxCDCB1TDWorkbook.json","","","","","","","","","has_query","","","CommonSecurityLog.DeviceEventClassID in ""DHCP-LEASE-CREATE,DHCP-LEASE-DELETE,DHCP-LEASE-UPDATE"" | CommonSecurityLog.DeviceEventClassID has_cs ""DHCP"" | CommonSecurityLog.DeviceEventClassID has_cs ""DNS"" | CommonSecurityLog.DeviceEventClassID has_cs ""RPZ""","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import AISCOMM Weekly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all indicators from the AISCOMM data provider on a scheduled weekly basis.","Infoblox-Import-AISCOMM-Weekly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import Emails Weekly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected emails on a scheduled weekly basis.","Infoblox-Import-Emails-Weekly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import Hashes Weekly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected hashes on a scheduled weekly basis.","Infoblox-Import-Hashes-Weekly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import Hosts Daily Lookalike Domains","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Lookalike domains on a scheduled daily basis.","Infoblox-Import-Hosts-Daily-LookalikeDomains/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import Hosts Daily MalwareC2DGA","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected MalwareC2DGA domains on a scheduled daily basis.","Infoblox-Import-Hosts-Daily-MalwareC2DGA/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import Hosts Daily Phishing","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports newly detected Phishing domains on a scheduled daily basis.","Infoblox-Import-Hosts-Daily-Phishing/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import Hosts Hourly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected hosts on a scheduled hourly basis.","Infoblox-Import-Hosts-Hourly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import IPs Hourly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected IPs on a scheduled hourly basis.","Infoblox-Import-IPs-Hourly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Import URLs Hourly","playbook","Leverages the Infoblox TIDE API to automatically import threat indicators into the ThreatIntelligenceIndicator table. This playbook imports all newly detected URLs on a scheduled hourly basis.","Infoblox-Import-URLs-Hourly/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Incident Enrichment Domains","playbook","Leverages the Infoblox TIDE API to enrich Microsoft Sentinel incidents with detailed TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.","Infoblox-Incident-Enrichment-Domains/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"","Infoblox Incident Send Email","playbook","Sends a detailed email when an incident occurs. Optionally enriches an applicable entity within the email with Infoblox TIDE data. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.","Infoblox-Incident-Send-Email/azuredeploy.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" +"3815f65b-5c24-49ea-ac06-c24b4223a5b6","InfobloxCDC","parser","","InfobloxCDC.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Infoblox Cloud Data Connector","Infoblox Cloud Data Connector","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20Cloud%20Data%20Connector","false" "b8266f81-2715-41a6-9062-42486cbc9c73","Excessive NXDOMAIN DNS Queries","analytic_rule","'This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.'","ExcessiveNXDOMAINDNSQueries.yaml","","","Medium","Available","Scheduled","CommandAndControl","T1568,T1008","SyslogAma","has_query","","","","","","Solution","","","","","false","Infoblox NIOS","Infoblox NIOS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS","true" "57e56fc9-417a-4f41-a579-5475aea7b8ce","Potential DHCP Starvation Attack","analytic_rule","'This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.'","PotentialDHCPStarvationAttack.yaml","","","Medium","Available","Scheduled","InitialAccess","T1200","SyslogAma","has_query","","","","","","Solution","","","","","false","Infoblox NIOS","Infoblox NIOS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS","true" "","Infoblox-Workbook-V2","workbook","","Infoblox-Workbook-V2.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","Infoblox NIOS","Infoblox NIOS","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS","true" @@ -2210,9 +2222,9 @@ "","Lookout-MobileThreat-NotifyAndEnrich","playbook","When a high or critical severity mobile threat incident is created in Microsoft Sentinel by Lookout, this playbook enriches the incident with a detailed investigation comment including threat intelligence context, device risk details, and recommended next steps for the analyst.","Lookout-MobileThreat-NotifyAndEnrich/azuredeploy.json","Lookout-MobileThreat-NotifyAndEnrich/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Lookout","Lookout","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout","true" "","Lookout-SmishingAlert-UserNotify","playbook","When a critical or high severity smishing or phishing incident is created in Microsoft Sentinel by Lookout, this playbook enriches the incident with a comment documenting the phishing campaign context, attack intelligence, and recommended analyst next steps.","Lookout-SmishingAlert-UserNotify/azuredeploy.json","Lookout-SmishingAlert-UserNotify/readme.md","","","","","","","","no_query","","","","","","Solution","","","","","false","Lookout","Lookout","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout","true" "37da203d-4edd-429e-83cd-fccf11e60c20","LookoutEvents","parser","","LookoutEvents.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout","Lookout","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout","true" -"ecaf0d02-9547-4e2d-b4fd-48112442430e","LookoutCSActivities","parser","","LookoutCSActivities.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","Lookout Cloud Security Platform for Microsoft Sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel","true" -"411d9caf-088b-42d7-b1d0-7db898efc1b4","LookoutCSAnomalies","parser","","LookoutCSAnomalies.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","Lookout Cloud Security Platform for Microsoft Sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel","true" -"3394b060-0e55-4ecc-828e-a5671e3275cd","LookoutCSViolations","parser","","LookoutCSViolations.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","Lookout Cloud Security Platform for Microsoft Sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel","true" +"ecaf0d02-9547-4e2d-b4fd-48112442430e","LookoutCSActivities","parser","","LookoutCSActivities.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","Lookout Cloud Security Platform for Microsoft Sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel","false" +"411d9caf-088b-42d7-b1d0-7db898efc1b4","LookoutCSAnomalies","parser","","LookoutCSAnomalies.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","Lookout Cloud Security Platform for Microsoft Sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel","false" +"3394b060-0e55-4ecc-828e-a5671e3275cd","LookoutCSViolations","parser","","LookoutCSViolations.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","Lookout Cloud Security Platform for Microsoft Sentinel","Lookout Cloud Security Platform for Microsoft Sentinel","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout%20Cloud%20Security%20Platform%20for%20Microsoft%20Sentinel","false" "29bf5bcd-6795-4c79-a91f-aaef5a618bab","Lumen TI domain in DnsEvents","analytic_rule","This query searches for matches between Lumen threat intelligence domain indicators and DnsEvents.","Lumen_DomainEntity_DNS.yaml","","","Medium","","Scheduled","CommandAndControl","T1071","LumenThreatFeedConnector,ThreatIntelligenceUploadIndicatorsAPI,DNS","has_query","","","","","","Solution","","","","","false","Lumen Defender Threat Feed","Lumen Defender Threat Feed","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen%20Defender%20Threat%20Feed","true" "bc8a262a-5db3-4ac1-8757-519ed36ed929","Lumen TI IPAddress in CommonSecurityLog","analytic_rule","This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.","Lumen_IPEntity_CommonSecurityLog.yaml","","","Medium","","Scheduled","CommandAndControl","T1071","LumenThreatFeedConnector,ThreatIntelligenceUploadIndicatorsAPI,CEF,CefAma","has_query","","","","","","Solution","","","","","false","Lumen Defender Threat Feed","Lumen Defender Threat Feed","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen%20Defender%20Threat%20Feed","true" "fa566691-42a2-4136-6a8b-ffa3ea510000","Lumen TI IPAddress in DeviceEvents","analytic_rule","This query maps Lumen IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in DeviceEvents.","Lumen_IPEntity_DeviceEvents.yaml","","","Medium","","Scheduled","CommandAndControl","T1071","LumenThreatFeedConnector,ThreatIntelligenceUploadIndicatorsAPI,MicrosoftThreatProtection","has_query","","","","","","Solution","","","","","false","Lumen Defender Threat Feed","Lumen Defender Threat Feed","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lumen%20Defender%20Threat%20Feed","true" @@ -2239,7 +2251,7 @@ "b43394b9-fa91-4d98-b331-619926a933bb","Detect New Scheduled Task Creation that Run Executables From Non-Standard Location","hunting_query","This hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system.","NewMaliciousScheduledTask.yaml","","","","","","Execution,PrivilegeEscalation,Persistence","T1053","CrowdStrikeFalconEndpointProtection,MicrosoftThreatProtection,SentinelOne,VMwareCarbonBlack,CiscoSecureEndpoint,TrendMicroApexOne,TrendMicroApexOneAma","has_query","","","_ASim_ProcessEvent.EventType == ""ProcessCreated"" | _ASim_ProcessEvent.TargetProcessName has ""schtasks.exe""","","","Solution","","","","","false","Malware Protection Essentials","Malware Protection Essentials","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware%20Protection%20Essentials","true" "4dc0aae4-6375-4670-b138-8c42490ba206","Detect New Scheduled Task Entry Creations","hunting_query","This hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system.","NewScheduledTaskCreation.yaml","","","","","","Execution,PrivilegeEscalation,Persistence","T1053","CrowdStrikeFalconEndpointProtection,MicrosoftThreatProtection,SentinelOne,VMwareCarbonBlack,CiscoSecureEndpoint,TrendMicroApexOne,TrendMicroApexOneAma","has_query","","","_ASim_FileEvent.EventType in ""FileCreated,FileModified"" | _ASim_FileEvent.FilePath has ""\\Windows\\System32\\Tasks""","","","Solution","","","","","false","Malware Protection Essentials","Malware Protection Essentials","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware%20Protection%20Essentials","true" "54b222c4-0149-421e-9d6d-da66da50495a","Detect Modification to System Files or Directories by User Accounts","hunting_query","This hunting query searches for modifications to system files or directories by a non system account (User Account).","SystemFilesModifiedByUser.yaml","","","","","","DefenseEvasion,Persistence,PrivilegeEscalation","T1036,T1543","CrowdStrikeFalconEndpointProtection,MicrosoftThreatProtection,SentinelOne,VMwareCarbonBlack,CiscoSecureEndpoint,TrendMicroApexOne,TrendMicroApexOneAma","has_query","","","_ASim_FileEvent.EventType in ""FileCreated,FileModified""","","","Solution","","","","","false","Malware Protection Essentials","Malware Protection Essentials","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware%20Protection%20Essentials","true" -"","MalwareProtectionEssentialsWorkbook","workbook","","MalwareProtectionEssentialsWorkbook.json","","","","","","","","","has_query","","","_ASim_RegistryEvent.CommandLine has_all ""/set"" | _ASim_RegistryEvent.CommandLine has_all ""delete"" | _ASim_RegistryEvent.EventType in ""FileCreated,FileModified,ProcessCreated,RegistryKeyCreated,RegistryValueSet"" | _ASim_RegistryEvent.FilePath has ""\\Windows\\System32\\Tasks"" | _ASim_RegistryEvent.RegistryValue has_any ""AUOptions"" | _ASim_RegistryEvent.RegistryValueData == ""1"" | _ASim_RegistryEvent.RegistryValueData has_all ""Action=Allow"" | _ASim_RegistryEvent.TargetProcessFilename =~ ""bcedit.exe"" | _ASim_RegistryEvent.TargetProcessFilename has_any ""vssadmin.exe"" | _Computed.CommandLineArgs contains ""base64""","","","Solution","","","","","false","Malware Protection Essentials","Malware Protection Essentials","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware%20Protection%20Essentials","true" +"","MalwareProtectionEssentialsWorkbook","workbook","","MalwareProtectionEssentialsWorkbook.json","","","","","","","","","has_query","","","_ASim_ProcessEvent.CommandLine has_all ""/set"" | _ASim_ProcessEvent.CommandLine has_all ""delete"" | _ASim_ProcessEvent.EventType in ""FileCreated,FileModified,ProcessCreated,RegistryKeyCreated,RegistryValueSet"" | _ASim_ProcessEvent.FilePath has ""\\Windows\\System32\\Tasks"" | _ASim_ProcessEvent.RegistryValue has_any ""AUOptions"" | _ASim_ProcessEvent.RegistryValueData == ""1"" | _ASim_ProcessEvent.RegistryValueData has_all ""Action=Allow"" | _ASim_ProcessEvent.TargetProcessFilename =~ ""bcedit.exe"" | _ASim_ProcessEvent.TargetProcessFilename has_any ""vssadmin.exe"" | _Computed.CommandLineArgs contains ""base64""","","","Solution","","","","","false","Malware Protection Essentials","Malware Protection Essentials","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Malware%20Protection%20Essentials","true" "","RansomwareFileExtensions","watchlist","","RansomwareFileExtensions.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","Malware Protection Essentials","Malware Protection Essentials","","true" "f2b2c4e3-a65b-44ba-81e9-03a79fa0fa84","MarkLogicAudit","parser","","MarkLogicAudit.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","MarkLogicAudit","MarkLogicAudit","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MarkLogicAudit","true" "4be5b645-1d08-49e4-b58d-07294ff19223","M2131_AssetStoppedLogging","analytic_rule","'This alert is designed to monitor assets within the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when a monitored asset fails to provide a heartbeat within 24 hours.'","M2131AssetStoppedLogging.yaml","","","Medium","Available","Scheduled","Discovery","T1082","","has_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" @@ -2254,37 +2266,37 @@ "f9e0ae98-6828-4d5a-b596-7c4586bb14f6","M2131_RecommendedDatatableNotLogged_EL1","hunting_query","'This alert audits your logging architecture for recommended data tables aligned to Basic Event Logging (EL1) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL1 are not present.'","M2131RecommendedDatatableNotLoggedEL1.yaml","","","Medium","","Scheduled","Discovery","T1082","","has_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" "76326a24-1223-4066-88a3-3826e3768932","M2131_RecommendedDatatableNotLogged_EL2","hunting_query","'This alert audits your logging architecture for recommended data tables aligned to Intermediate Event Logging (EL2) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL2 are not present.'","M2131RecommendedDatatableNotLoggedEL2.yaml","","","Medium","","Scheduled","Discovery","T1082","","has_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" "8b415f2d-44c1-4edb-8ca6-ddf7d2d28b20","M2131_RecommendedDatatableNotLogged_EL3","hunting_query","'This alert audits your logging architecture for recommended data tables aligned to Advanced Event Logging (EL3) of the Maturity Model for Event Log Management (M-21-31) standard. The alert triggers when recommended data tables in EL3 are not present.'","M2131RecommendedDatatableNotLoggedEL3.yaml","","","Medium","","Scheduled","Discovery","T1082","","has_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" -"","MaturityModelForEventLogManagement_M2131","workbook","","MaturityModelForEventLogManagement_M2131.json","","","","","","","","","has_query","","","AlertEvidence.ActionType in ""Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"" | AzureActivity.ActivityStatusValue == ""Success"" | AzureActivity.ActivitySubstatusValue in ""Created,OK"" | AzureActivity.OperationName in ""Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,Reset user password,Update user"" | AzureActivity.OperationName !contains ""external"" | AzureActivity.OperationName !contains ""invite"" | AzureActivity.OperationName !contains ""licnense"" | AzureActivity.OperationName contains ""group"" | AzureActivity.OperationName contains ""member"" | AzureActivity.OperationName contains ""principal"" | AzureActivity.OperationName contains ""role"" | AzureActivity.OperationName contains ""user"" | AzureActivity.OperationNameValue contains ""Microsoft.Network/loadBalancers/"" | AzureActivity.OperationNameValue contains ""Network"" | AzureActivity.ResourceProviderValue in ""MICROSOFT.CONTAINERSERVICE,MICROSOFT.LOGIC"" | AzureDiagnostics.Category in ""AzureFirewallApplicationRule,AzureFirewallNetworkRule,EntitlementManagement,FrontdoorWebApplicationFirewallLog,GatewayDiagnosticLog,GroupManagement,IKEDiagnosticLog,NetworkSecurityGroupEvent,RouteDiagnosticLog,TunnelDiagnosticLog,UserManagement,WebApplicationFirewallLogs,kube-audit"" | AzureDiagnostics.Category contains ""SQL"" | AzureDiagnostics.Resource == ""SOC-NS-AG-WAFV2"" | AzureDiagnostics.ResourceProvider in ""MICROSOFT.CONTAINERSERVICE,MICROSOFT.KEYVAULT"" | AzureDiagnostics.ResourceType in ""APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES,SERVERS/DATABASES"" | AzureDiagnostics.msg_s !has "". Url"" | AzureDiagnostics.msg_s !has ""No rule matched"" | AzureDiagnostics.msg_s !has ""Reason:"" | AzureDiagnostics.msg_s !has ""Rule Collection"" | AzureDiagnostics.msg_s !has ""TLS extension was missing"" | AzureDiagnostics.msg_s !has ""Web Category:"" | AzureDiagnostics.msg_s has "". No rule matched"" | AzureDiagnostics.msg_s has "". Url"" | AzureDiagnostics.msg_s has ""Reason:"" | AzureDiagnostics.msg_s has ""Rule Collection Group"" | AzureDiagnostics.msg_s has ""Web Category:"" | ConfigurationChange.ConfigChangeType == ""Registry"" | ConfigurationData.ConfigDataType == ""Registry"" | EmailEvents.DeliveryAction == ""Junked"" | EmailEvents.DetectionMethods contains ""spam"" | InsightsMetrics.Namespace in ""Memory,Network,Processor"" | OfficeActivity.OfficeWorkload == ""Exchange"" | OfficeActivity.Operation !contains ""access"" | OfficeActivity.Operation contains ""policy"" | OfficeActivity.RecordType == ""ExchangeAdmin"" | SecurityEvent.GroupMembership contains ""admin"" | SecurityEvent.GroupMembership contains ""contributor"" | SecurityRecommendation.RecommendationDisplayName contains ""AWS"" | SecurityRecommendation.RecommendationDisplayName contains ""Amazon"" | SecurityRecommendation.RecommendationDisplayName contains ""certificate"" | SecurityRecommendation.RecommendationDisplayName contains ""container"" | SecurityRecommendation.RecommendationDisplayName contains ""database"" | SecurityRecommendation.RecommendationDisplayName contains ""encrypt"" | SecurityRecommendation.RecommendationDisplayName contains ""endpoint protection"" | SecurityRecommendation.RecommendationDisplayName contains ""exploit"" | SecurityRecommendation.RecommendationDisplayName contains ""key"" | SecurityRecommendation.RecommendationDisplayName contains ""kube"" | SecurityRecommendation.RecommendationDisplayName contains ""pod"" | SecurityRecommendation.RecommendationDisplayName contains ""sql"" | SecurityRecommendation.RecommendationDisplayName contains ""vault"" | SecurityRecommendation.RecommendationDisplayName contains ""virus"" | SecurityRecommendation.RecommendationDisplayName contains ""vuln"" | SecurityRecommendation.RecommendationDisplayName has ""GCP"" | SecurityRecommendation.RecommendationDisplayName has ""Google"" | SecurityRecommendation.RecommendationName contains ""container"" | SecurityRecommendation.RecommendationName contains ""kube"" | SecurityRecommendation.RecommendationName contains ""kubernetes"" | SecurityRecommendation.RecommendationName contains ""pod"" | SecurityRecommendation.RecommendationName contains ""update"" | SecurityRecommendation.RecommendationState in ""Healthy,NotApplicable,Removed,Unhealthy"" | SigninLogs.AppDisplayName in ""Azure Active Directory PowerShell,Microsoft Azure CLI"" | SigninLogs.AppDisplayName contains ""ACOM"" | SigninLogs.AppDisplayName contains ""CLI"" | SigninLogs.AppDisplayName contains ""PowerShell"" | SigninLogs.AppDisplayName contains ""command"" | SigninLogs.AppDisplayName contains ""graph"" | Syslog.SyslogMessage contains ""runas"" | Syslog.SyslogMessage contains ""sudo"" | _Computed.Connection has ""managedApis/azuresentinel"" | _Computed.ProductName in ""Microsoft Defender Advanced Threat Protection,Microsoft Defender for Endpoint"" | _Computed.TableExists in ""0,1"" | _Computed.Tactics contains ""Access"" | _Computed.assessmentKey == ""1195afff-c881-495e-9bc5-1486211ae03f"" | _Computed.type in~ ""Microsoft.ContainerService/managedClusters,Microsoft.Kubernetes/connectedClusters,microsoft.containerservice/managedclusters,microsoft.kubernetes/connectedclusters,microsoft.network/serviceendpointpolicies,microsoft.sql/servers,microsoft.sql/servers/databases,microsoft.synapse/workspaces/sqlpools"" | _Computed.type !~ ""dynatrace.observability/monitors"" | _Computed.type !~ ""microsoft.agfoodplatform/farmbeats"" | _Computed.type !~ ""microsoft.azurepercept/accounts"" | _Computed.type !~ ""microsoft.azurestack/registrations"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints/routes"" | _Computed.type !~ ""microsoft.cdn/profiles/customdomains"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups/origins"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets/rules"" | _Computed.type !~ ""microsoft.cdn/profiles/secrets"" | _Computed.type !~ ""microsoft.cdn/profiles/securitypolicies"" | _Computed.type !~ ""microsoft.connectedvmwarevsphere/vcenters"" | _Computed.type !~ ""microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.datacollaboration/workspaces"" | _Computed.type !~ ""microsoft.datareplication/replicationvaults"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters/sessionclusters"" | _Computed.type !~ ""microsoft.hpcworkbench/instances"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/assets"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/executionplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/testplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/tests"" | _Computed.type !~ ""microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/services"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/sites"" | _Computed.type !~ ""microsoft.mobilenetwork/packetcorecontrolplanes"" | _Computed.type !~ ""microsoft.mobilenetwork/sims"" | _Computed.type !~ ""microsoft.openlogisticsplatform/workspaces"" | _Computed.type !~ ""microsoft.orbital/contactprofiles"" | _Computed.type !~ ""microsoft.orbital/edgesites"" | _Computed.type !~ ""microsoft.orbital/groundstations"" | _Computed.type !~ ""microsoft.orbital/l2connections"" | _Computed.type !~ ""microsoft.orbital/spacecrafts"" | _Computed.type !~ ""microsoft.orbital/spacecrafts/contacts"" | _Computed.type !~ ""microsoft.playfab/playeraccountpools"" | _Computed.type !~ ""microsoft.playfab/playfabresources"" | _Computed.type !~ ""microsoft.playfab/titles"" | _Computed.type !~ ""microsoft.portal/extensions"" | _Computed.type !~ ""microsoft.portal/extensions/deployments"" | _Computed.type !~ ""microsoft.portal/extensions/slots"" | _Computed.type !~ ""microsoft.portal/extensions/versions"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/modeling"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/serviceendpoints"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd2/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd2/vaults"" | _Computed.type !~ ""microsoft.scom/managedinstances"" | _Computed.type !~ ""microsoft.storagecache/amlfilesystems"" | _Computed.type !~ ""nginx.nginxplus/nginxdeployments"" | _Computed.type !~ ""providers.test/statefulibizaengines"" | _Im_NetworkSession.Type in ""microsoft.logic/workflows,microsoft.managedservices/registrationassignments,microsoft.network/routetables,microsoft.security/assessments/subassessments"" | _Im_NetworkSession.Type in~ ""microsoft.insights/components,microsoft.operationalinsights/workspaces"" | _Im_NetworkSession.Type contains ""application"" | _Im_NetworkSession.Type contains ""container"" | _Im_NetworkSession.Type contains ""load"" | _Im_NetworkSession.Type contains ""network"" | _Im_NetworkSession.Type contains ""traffic"" | _Im_NetworkSession.Type contains ""virtualNetworks""","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" +"","MaturityModelForEventLogManagement_M2131","workbook","","MaturityModelForEventLogManagement_M2131.json","","","","","","","","","has_query","","","AuditLogs.OperationName in ""Add member to role,Add user,ApplicationGatewayFirewall,AzureFirewallIDSLog,Reset user password,Update user"" | AuditLogs.OperationName !contains ""external"" | AuditLogs.OperationName !contains ""invite"" | AuditLogs.OperationName !contains ""licnense"" | AuditLogs.OperationName contains ""group"" | AuditLogs.OperationName contains ""member"" | AuditLogs.OperationName contains ""principal"" | AuditLogs.OperationName contains ""role"" | AuditLogs.OperationName contains ""user"" | AzureActivity.ActivityStatusValue == ""Success"" | AzureActivity.ActivitySubstatusValue in ""Created,OK"" | AzureActivity.OperationNameValue contains ""Microsoft.Network/loadBalancers/"" | AzureActivity.OperationNameValue contains ""Network"" | AzureActivity.ResourceProviderValue in ""MICROSOFT.CONTAINERSERVICE,MICROSOFT.LOGIC"" | AzureDiagnostics.Category in ""AzureFirewallApplicationRule,AzureFirewallNetworkRule,EntitlementManagement,FrontdoorWebApplicationFirewallLog,GatewayDiagnosticLog,GroupManagement,IKEDiagnosticLog,NetworkSecurityGroupEvent,RouteDiagnosticLog,TunnelDiagnosticLog,UserManagement,WebApplicationFirewallLogs,kube-audit"" | AzureDiagnostics.Category contains ""SQL"" | AzureDiagnostics.Resource == ""SOC-NS-AG-WAFV2"" | AzureDiagnostics.ResourceProvider in ""MICROSOFT.CONTAINERSERVICE,MICROSOFT.KEYVAULT"" | AzureDiagnostics.ResourceType in ""APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES,SERVERS/DATABASES"" | AzureDiagnostics.msg_s !has "". Url"" | AzureDiagnostics.msg_s !has ""No rule matched"" | AzureDiagnostics.msg_s !has ""Reason:"" | AzureDiagnostics.msg_s !has ""Rule Collection"" | AzureDiagnostics.msg_s !has ""TLS extension was missing"" | AzureDiagnostics.msg_s !has ""Web Category:"" | AzureDiagnostics.msg_s has "". No rule matched"" | AzureDiagnostics.msg_s has "". Url"" | AzureDiagnostics.msg_s has ""Reason:"" | AzureDiagnostics.msg_s has ""Rule Collection Group"" | AzureDiagnostics.msg_s has ""Web Category:"" | ConfigurationChange.ConfigChangeType == ""Registry"" | ConfigurationData.ConfigDataType == ""Registry"" | DeviceProcessEvents.ActionType in ""Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"" | EmailEvents.DeliveryAction == ""Junked"" | EmailEvents.DetectionMethods contains ""spam"" | InsightsMetrics.Namespace in ""Memory,Network,Processor"" | OfficeActivity.OfficeWorkload == ""Exchange"" | OfficeActivity.Operation !contains ""access"" | OfficeActivity.Operation contains ""policy"" | OfficeActivity.RecordType == ""ExchangeAdmin"" | SecurityEvent.GroupMembership contains ""admin"" | SecurityEvent.GroupMembership contains ""contributor"" | SecurityRecommendation.RecommendationDisplayName contains ""AWS"" | SecurityRecommendation.RecommendationDisplayName contains ""Amazon"" | SecurityRecommendation.RecommendationDisplayName contains ""certificate"" | SecurityRecommendation.RecommendationDisplayName contains ""container"" | SecurityRecommendation.RecommendationDisplayName contains ""database"" | SecurityRecommendation.RecommendationDisplayName contains ""encrypt"" | SecurityRecommendation.RecommendationDisplayName contains ""endpoint protection"" | SecurityRecommendation.RecommendationDisplayName contains ""exploit"" | SecurityRecommendation.RecommendationDisplayName contains ""key"" | SecurityRecommendation.RecommendationDisplayName contains ""kube"" | SecurityRecommendation.RecommendationDisplayName contains ""pod"" | SecurityRecommendation.RecommendationDisplayName contains ""sql"" | SecurityRecommendation.RecommendationDisplayName contains ""vault"" | SecurityRecommendation.RecommendationDisplayName contains ""virus"" | SecurityRecommendation.RecommendationDisplayName contains ""vuln"" | SecurityRecommendation.RecommendationDisplayName has ""GCP"" | SecurityRecommendation.RecommendationDisplayName has ""Google"" | SecurityRecommendation.RecommendationName contains ""container"" | SecurityRecommendation.RecommendationName contains ""kube"" | SecurityRecommendation.RecommendationName contains ""kubernetes"" | SecurityRecommendation.RecommendationName contains ""pod"" | SecurityRecommendation.RecommendationName contains ""update"" | SecurityRecommendation.RecommendationState in ""Healthy,NotApplicable,Removed,Unhealthy"" | SigninLogs.AppDisplayName in ""Azure Active Directory PowerShell,Microsoft Azure CLI"" | SigninLogs.AppDisplayName contains ""ACOM"" | SigninLogs.AppDisplayName contains ""CLI"" | SigninLogs.AppDisplayName contains ""PowerShell"" | SigninLogs.AppDisplayName contains ""command"" | SigninLogs.AppDisplayName contains ""graph"" | Syslog.SyslogMessage contains ""runas"" | Syslog.SyslogMessage contains ""sudo"" | _Computed.Connection has ""managedApis/azuresentinel"" | _Computed.ProductName in ""Microsoft Defender Advanced Threat Protection,Microsoft Defender for Endpoint"" | _Computed.TableExists in ""0,1"" | _Computed.Tactics contains ""Access"" | _Computed.assessmentKey == ""1195afff-c881-495e-9bc5-1486211ae03f"" | _Computed.type in~ ""Microsoft.ContainerService/managedClusters,Microsoft.Kubernetes/connectedClusters,microsoft.containerservice/managedclusters,microsoft.kubernetes/connectedclusters,microsoft.network/serviceendpointpolicies,microsoft.sql/servers,microsoft.sql/servers/databases,microsoft.synapse/workspaces/sqlpools"" | _Computed.type !~ ""dynatrace.observability/monitors"" | _Computed.type !~ ""microsoft.agfoodplatform/farmbeats"" | _Computed.type !~ ""microsoft.azurepercept/accounts"" | _Computed.type !~ ""microsoft.azurestack/registrations"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints"" | _Computed.type !~ ""microsoft.cdn/profiles/afdendpoints/routes"" | _Computed.type !~ ""microsoft.cdn/profiles/customdomains"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups"" | _Computed.type !~ ""microsoft.cdn/profiles/origingroups/origins"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets"" | _Computed.type !~ ""microsoft.cdn/profiles/rulesets/rules"" | _Computed.type !~ ""microsoft.cdn/profiles/secrets"" | _Computed.type !~ ""microsoft.cdn/profiles/securitypolicies"" | _Computed.type !~ ""microsoft.connectedvmwarevsphere/vcenters"" | _Computed.type !~ ""microsoft.containerservice/managedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.datacollaboration/workspaces"" | _Computed.type !~ ""microsoft.datareplication/replicationvaults"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters"" | _Computed.type !~ ""microsoft.hdinsight/clusterpools/clusters/sessionclusters"" | _Computed.type !~ ""microsoft.hpcworkbench/instances"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/assets"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/executionplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/testplans"" | _Computed.type !~ ""microsoft.intelligentitdigitaltwin/digitaltwins/tests"" | _Computed.type !~ ""microsoft.kubernetes/connectedclusters/microsoft.kubernetesconfiguration/fluxconfigurations"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/services"" | _Computed.type !~ ""microsoft.mobilenetwork/mobilenetworks/sites"" | _Computed.type !~ ""microsoft.mobilenetwork/packetcorecontrolplanes"" | _Computed.type !~ ""microsoft.mobilenetwork/sims"" | _Computed.type !~ ""microsoft.openlogisticsplatform/workspaces"" | _Computed.type !~ ""microsoft.orbital/contactprofiles"" | _Computed.type !~ ""microsoft.orbital/edgesites"" | _Computed.type !~ ""microsoft.orbital/groundstations"" | _Computed.type !~ ""microsoft.orbital/l2connections"" | _Computed.type !~ ""microsoft.orbital/spacecrafts"" | _Computed.type !~ ""microsoft.orbital/spacecrafts/contacts"" | _Computed.type !~ ""microsoft.playfab/playeraccountpools"" | _Computed.type !~ ""microsoft.playfab/playfabresources"" | _Computed.type !~ ""microsoft.playfab/titles"" | _Computed.type !~ ""microsoft.portal/extensions"" | _Computed.type !~ ""microsoft.portal/extensions/deployments"" | _Computed.type !~ ""microsoft.portal/extensions/slots"" | _Computed.type !~ ""microsoft.portal/extensions/versions"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/modeling"" | _Computed.type !~ ""microsoft.recommendationsservice/accounts/serviceendpoints"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesbvtd2/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd/vaults"" | _Computed.type !~ ""microsoft.recoveryservicesintd2/vaults"" | _Computed.type !~ ""microsoft.scom/managedinstances"" | _Computed.type !~ ""microsoft.storagecache/amlfilesystems"" | _Computed.type !~ ""nginx.nginxplus/nginxdeployments"" | _Computed.type !~ ""providers.test/statefulibizaengines"" | _Im_NetworkSession.Type in ""microsoft.logic/workflows,microsoft.managedservices/registrationassignments,microsoft.network/routetables,microsoft.security/assessments/subassessments"" | _Im_NetworkSession.Type in~ ""microsoft.insights/components,microsoft.operationalinsights/workspaces"" | _Im_NetworkSession.Type contains ""application"" | _Im_NetworkSession.Type contains ""container"" | _Im_NetworkSession.Type contains ""load"" | _Im_NetworkSession.Type contains ""network"" | _Im_NetworkSession.Type contains ""traffic"" | _Im_NetworkSession.Type contains ""virtualNetworks""","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" "","Notify-LogManagementTeam","playbook","This Security Orchestration, Automation, & Response (SOAR) capability is designed for configuration with the solution's analytics rules. When analytics rules trigger this automation notifies the log management team of respective details via Teams chat and exchange email. this automation reduces requirements to manually monitor the workbook or analytics rules while increasing response times.","Notify_LogManagementTeam-MaturityModel/Notify_LogManagementTeam.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" "","Create-AzureDevOpsTask","playbook","This playbook will create the Azure DevOps task filled with the Microsoft Sentinel incident details.","Open_DevOpsTaskRecommendation-M2131/Open_DevOpsTaskRecommendation-M2131.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" "","Create Jira Issue","playbook","This playbook will open a Jira Issue when a new incident is opened in Microsoft Sentinel.","Open_JIRATicketRecommendation-M2131/Open_JIRATicketRecommendation-M2131.json","","","","","","","","","no_query","","","","","","Solution","","","","","false","MaturityModelForEventLogManagementM2131","MaturityModelForEventLogManagementM2131","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MaturityModelForEventLogManagementM2131","true" -"3c1425d3-93d4-4eaf-8aa0-370dbac94c82","McAfee ePO - Agent Handler down","analytic_rule","'Detects when AgentHandler is down.'","McAfeeEPOAgentHandlerDown.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"1e3bcd0f-10b2-4fbd-854f-1c6f33acc36a","McAfee ePO - Error sending alert","analytic_rule","'Detects when error sending alert occurs.'","McAfeeEPOAlertError.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"2eff5809-bf84-48e0-8288-768689672c37","McAfee ePO - Attempt uninstall McAfee agent","analytic_rule","'Detects attempts uninstalling McAfee agent on host.'","McAfeeEPOAttemptUninstallAgent.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"155243f4-d962-4717-8a7b-b15b6d112660","McAfee ePO - Deployment failed","analytic_rule","'Detects when errors occur during deployment new changes/policies.'","McAfeeEPODeploymentFailed.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"b9d9fdfe-bc17-45ce-a70d-67a5cfd119f4","McAfee ePO - File added to exceptions","analytic_rule","'Detects when file was added to exception list on a host.'","McAfeeEPOExceptionAdded.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"bd3cedc3-efba-455a-85bd-0cf9ac1b0727","McAfee ePO - Firewall disabled","analytic_rule","'Detects when firewall was disabled from Mctray.'","McAfeeEPOFirewallDisabled.yaml","","","Medium","Available","Scheduled","DefenseEvasion,CommandAndControl","T1562,T1071","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"0c9243d6-d2ec-48e1-8593-e713859c8f3c","McAfee ePO - Logging error occurred","analytic_rule","'Detects when logging errors on agent.'","McAfeeEPOLoggingError.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"f53e5168-afdb-4fad-b29a-bb9cb71ec460","McAfee ePO - Multiple threats on same host","analytic_rule","'Rule fires when multiple threat events were detected on the same host.'","McAfeeEPOMultipleThreatsSameHost.yaml","","","Medium","Available","Scheduled","InitialAccess,Persistence,DefenseEvasion,PrivilegeEscalation","T1562,T1070,T1189,T1195,T1543,T1055","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"5223c1b8-75ef-4019-9076-a19b1ef3e5d1","McAfee ePO - Scanning engine disabled","analytic_rule","'Detects when OAS scanning engine was disabled.'","McAfeeEPOScanningEngineDisabled.yaml","","","Low","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"ffc9052b-3658-4ad4-9003-0151515fde15","McAfee ePO - Spam Email detected","analytic_rule","'Detects when email was marked as spam.'","McAfeeEPOSpamEmail.yaml","","","Medium","Available","Scheduled","InitialAccess","T1566","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"3e397e31-7964-417e-a3e0-0acfaa2056f4","McAfee ePO - Task error","analytic_rule","'Detects when task error occurs.'","McAfeeEPOTaskError.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7","McAfee ePO - Threat was not blocked","analytic_rule","'Detects when a threat was not blocked on a host.'","McAfeeEPOThreatNotBlocked.yaml","","","High","Available","Scheduled","InitialAccess,PrivilegeEscalation,DefenseEvasion","T1562,T1070,T1068,T1189,T1195","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"9860e89f-72c8-425e-bac9-4a170798d3ea","McAfee ePO - Unable to clean or delete infected file","analytic_rule","'Detects when McAfee failed to clean or delete infected file.'","McAfeeEPOUnableCleanDeleteInfectedFile.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"4f0c91c3-1690-48f0-b538-4282dd5417a4","McAfee ePO - Update failed","analytic_rule","'Detects when update failed event occurs on agent.'","McAfeeEPOUpdateFailed.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"dff3c841-6e3e-432e-ad68-3ddd7326bc01","McAfee ePO - Agent Errors","hunting_query","'Query searches for error events from McAfee agents.'","McAfeeEPOAgentErrors.yaml","","","","","","DefenseEvasion","T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"e838519b-1f03-417f-863b-6c1a141677ee","McAfee ePO - Applications blocked or contained","hunting_query","'Query searches for blocked or contained applications.'","McAfeeEPOApplicationsBlocked.yaml","","","","","","InitialAccess,Execution","T1204,T1189","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"851b63f1-cc5d-44d5-b505-9444a5e87076","McAfee ePO - Email Treats","hunting_query","'Query searches for email related threat events.'","McAfeeEPOEmailThreats.yaml","","","","","","InitialAccess","T1566","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"e83b72a0-60dd-4d65-b1c2-582766f2f181","McAfee ePO - Infected files by source","hunting_query","'Query searches for infected files which were detected.'","McAfeeEPOInfectedFiles.yaml","","","","","","InitialAccess","T1189","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"2e7a56fb-ffff-491c-bdee-e772f83c47e2","McAfee ePO - Infected Systems","hunting_query","'Query searches for infected systems based on scan results.'","McAfeeEPOInfectedSystems.yaml","","","","","","InitialAccess","T1189,T1195","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"a65e4129-d936-4165-bc08-699f9151aa26","McAfee ePO - Long term infected systems","hunting_query","'Query searches for infected systems which were not cleaned for long term.'","McAfeeEPOLongTermInfectedSystems.yaml","","","","","","InitialAccess,Persistence","T1189","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"1ef23489-a840-4b43-b33d-a921da24c85c","McAfee ePO - Sources with multiple threats","hunting_query","'Query searches for sources with several different threats.'","McAfeeEPOMultipleThreats.yaml","","","","","","InitialAccess","T1189,T1195","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"5be4adb7-52ee-4416-b39d-0c03cf0fb661","McAfee ePO - Objects not scanned","hunting_query","'Query searches for unscanned objects.'","McAfeeEPOObjectsNotScanned.yaml","","","","","","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"901e6982-39ed-4759-9451-de1a3826182f","McAfee ePO - Scan Errors","hunting_query","'Query searches for scan error events.'","McAfeeEPOScanErrors.yaml","","","","","","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"80c5904d-6a36-4b7c-82d4-180023a1f8b4","McAfee ePO - Threats detected and not blocked, cleaned or deleted","hunting_query","'Query searches for events where threats were detected and not blocked, cleaned or deleted.'","McAfeeEPOThreatNotBlocked.yaml","","","","","","Persistence,PrivilegeEscalation","T1574,T1055","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"","McAfeeePOOverview","workbook","","McAfeeePOOverview.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"b1038960-6b62-4d55-aed0-c55acb1ae408","McAfeeEPOEvent","parser","","McAfeeEPOEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","true" -"4f808c27-859d-44d2-a3ed-33fe6e8c18e6","McAfeeNSPEvent","parser","","McAfeeNSPEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","McAfee Network Security Platform","McAfee Network Security Platform","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20Network%20Security%20Platform","true" +"3c1425d3-93d4-4eaf-8aa0-370dbac94c82","McAfee ePO - Agent Handler down","analytic_rule","'Detects when AgentHandler is down.'","McAfeeEPOAgentHandlerDown.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"1e3bcd0f-10b2-4fbd-854f-1c6f33acc36a","McAfee ePO - Error sending alert","analytic_rule","'Detects when error sending alert occurs.'","McAfeeEPOAlertError.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"2eff5809-bf84-48e0-8288-768689672c37","McAfee ePO - Attempt uninstall McAfee agent","analytic_rule","'Detects attempts uninstalling McAfee agent on host.'","McAfeeEPOAttemptUninstallAgent.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"155243f4-d962-4717-8a7b-b15b6d112660","McAfee ePO - Deployment failed","analytic_rule","'Detects when errors occur during deployment new changes/policies.'","McAfeeEPODeploymentFailed.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"b9d9fdfe-bc17-45ce-a70d-67a5cfd119f4","McAfee ePO - File added to exceptions","analytic_rule","'Detects when file was added to exception list on a host.'","McAfeeEPOExceptionAdded.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"bd3cedc3-efba-455a-85bd-0cf9ac1b0727","McAfee ePO - Firewall disabled","analytic_rule","'Detects when firewall was disabled from Mctray.'","McAfeeEPOFirewallDisabled.yaml","","","Medium","Available","Scheduled","DefenseEvasion,CommandAndControl","T1562,T1071","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"0c9243d6-d2ec-48e1-8593-e713859c8f3c","McAfee ePO - Logging error occurred","analytic_rule","'Detects when logging errors on agent.'","McAfeeEPOLoggingError.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"f53e5168-afdb-4fad-b29a-bb9cb71ec460","McAfee ePO - Multiple threats on same host","analytic_rule","'Rule fires when multiple threat events were detected on the same host.'","McAfeeEPOMultipleThreatsSameHost.yaml","","","Medium","Available","Scheduled","InitialAccess,Persistence,DefenseEvasion,PrivilegeEscalation","T1562,T1070,T1189,T1195,T1543,T1055","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"5223c1b8-75ef-4019-9076-a19b1ef3e5d1","McAfee ePO - Scanning engine disabled","analytic_rule","'Detects when OAS scanning engine was disabled.'","McAfeeEPOScanningEngineDisabled.yaml","","","Low","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"ffc9052b-3658-4ad4-9003-0151515fde15","McAfee ePO - Spam Email detected","analytic_rule","'Detects when email was marked as spam.'","McAfeeEPOSpamEmail.yaml","","","Medium","Available","Scheduled","InitialAccess","T1566","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"3e397e31-7964-417e-a3e0-0acfaa2056f4","McAfee ePO - Task error","analytic_rule","'Detects when task error occurs.'","McAfeeEPOTaskError.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"6d70a26a-c119-45b7-b4c6-44ac4fd1bcb7","McAfee ePO - Threat was not blocked","analytic_rule","'Detects when a threat was not blocked on a host.'","McAfeeEPOThreatNotBlocked.yaml","","","High","Available","Scheduled","InitialAccess,PrivilegeEscalation,DefenseEvasion","T1562,T1070,T1068,T1189,T1195","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"9860e89f-72c8-425e-bac9-4a170798d3ea","McAfee ePO - Unable to clean or delete infected file","analytic_rule","'Detects when McAfee failed to clean or delete infected file.'","McAfeeEPOUnableCleanDeleteInfectedFile.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"4f0c91c3-1690-48f0-b538-4282dd5417a4","McAfee ePO - Update failed","analytic_rule","'Detects when update failed event occurs on agent.'","McAfeeEPOUpdateFailed.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562,T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"dff3c841-6e3e-432e-ad68-3ddd7326bc01","McAfee ePO - Agent Errors","hunting_query","'Query searches for error events from McAfee agents.'","McAfeeEPOAgentErrors.yaml","","","","","","DefenseEvasion","T1070","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"e838519b-1f03-417f-863b-6c1a141677ee","McAfee ePO - Applications blocked or contained","hunting_query","'Query searches for blocked or contained applications.'","McAfeeEPOApplicationsBlocked.yaml","","","","","","InitialAccess,Execution","T1204,T1189","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"851b63f1-cc5d-44d5-b505-9444a5e87076","McAfee ePO - Email Treats","hunting_query","'Query searches for email related threat events.'","McAfeeEPOEmailThreats.yaml","","","","","","InitialAccess","T1566","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"e83b72a0-60dd-4d65-b1c2-582766f2f181","McAfee ePO - Infected files by source","hunting_query","'Query searches for infected files which were detected.'","McAfeeEPOInfectedFiles.yaml","","","","","","InitialAccess","T1189","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"2e7a56fb-ffff-491c-bdee-e772f83c47e2","McAfee ePO - Infected Systems","hunting_query","'Query searches for infected systems based on scan results.'","McAfeeEPOInfectedSystems.yaml","","","","","","InitialAccess","T1189,T1195","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"a65e4129-d936-4165-bc08-699f9151aa26","McAfee ePO - Long term infected systems","hunting_query","'Query searches for infected systems which were not cleaned for long term.'","McAfeeEPOLongTermInfectedSystems.yaml","","","","","","InitialAccess,Persistence","T1189","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"1ef23489-a840-4b43-b33d-a921da24c85c","McAfee ePO - Sources with multiple threats","hunting_query","'Query searches for sources with several different threats.'","McAfeeEPOMultipleThreats.yaml","","","","","","InitialAccess","T1189,T1195","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"5be4adb7-52ee-4416-b39d-0c03cf0fb661","McAfee ePO - Objects not scanned","hunting_query","'Query searches for unscanned objects.'","McAfeeEPOObjectsNotScanned.yaml","","","","","","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"901e6982-39ed-4759-9451-de1a3826182f","McAfee ePO - Scan Errors","hunting_query","'Query searches for scan error events.'","McAfeeEPOScanErrors.yaml","","","","","","DefenseEvasion","T1562","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"80c5904d-6a36-4b7c-82d4-180023a1f8b4","McAfee ePO - Threats detected and not blocked, cleaned or deleted","hunting_query","'Query searches for events where threats were detected and not blocked, cleaned or deleted.'","McAfeeEPOThreatNotBlocked.yaml","","","","","","Persistence,PrivilegeEscalation","T1574,T1055","SyslogAma","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"","McAfeeePOOverview","workbook","","McAfeeePOOverview.json","","","","","","","","","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"b1038960-6b62-4d55-aed0-c55acb1ae408","McAfeeEPOEvent","parser","","McAfeeEPOEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","McAfee ePolicy Orchestrator","McAfee ePolicy Orchestrator","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20ePolicy%20Orchestrator","false" +"4f808c27-859d-44d2-a3ed-33fe6e8c18e6","McAfeeNSPEvent","parser","","McAfeeNSPEvent.yaml","","","","","","","","","has_query","","","","","","Solution","","","","","false","McAfee Network Security Platform","McAfee Network Security Platform","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/McAfee%20Network%20Security%20Platform","false" "194dd92e-d6e7-4249-85a5-273350a7f5ce","Exchange AuditLog Disabled","analytic_rule","'Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.'","exchange_auditlogdisabled.yaml","","","Medium","Available","Scheduled","DefenseEvasion","T1562","Office365","has_query","","","OfficeActivity.OfficeWorkload =~ ""Exchange"" | OfficeActivity.Operation =~ ""Set-AdminAuditLogConfig"" | OfficeActivity.UserType in~ ""Admin,DcAdmin"" | _Computed.AdminAuditLogEnabledValue =~ ""False""","","","Solution","","","","","false","Microsoft 365","Microsoft 365","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365","true" "bff058b2-500e-4ae5-bb49-a5b1423cbd5b","Accessed files shared by temporary external user","analytic_rule","'This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.'","External User added to Team and immediately uploads file.yaml","","","Low","Available","Scheduled","InitialAccess","T1566","Office365,Office365","has_query","","","OfficeActivity.OfficeWorkload =~ ""MicrosoftTeams"" | OfficeActivity.Operation in ""FileAccessed,FileUploaded"" | OfficeActivity.Operation in~ ""MemberAdded,MemberRemoved"" | OfficeActivity.RecordType == ""SharePointFileOperation"" | OfficeActivity.SourceRelativeUrl has ""Microsoft Teams Chat Files"" | _Computed.MemberAdded contains ""#EXT#""","","","Solution","","","","","false","Microsoft 365","Microsoft 365","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365","true" "bff093b2-500e-4ae5-bb49-a5b1423cbd5b","External user added and removed in short timeframe","analytic_rule","'This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.'","ExternalUserAddedRemovedInTeams.yaml","","","Low","Available","Scheduled","Persistence","T1136","Office365","has_query","","","OfficeActivity.OfficeWorkload =~ ""MicrosoftTeams""","","","Solution","","","","","false","Microsoft 365","Microsoft 365","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365","true" @@ -2442,7 +2454,7 @@ "2a1dc4c2-a8d6-4a0e-8539-9b971c851195","Bitsadmin Activity","analytic_rule","Background Intelligent Transfer Service (BITS) is a way to reliably download files from webservers or SMB servers. This service is commonly used for legitimate purposes, but can also be used as part of a malware downloader. Additionally, bitsadmin can be used to upload files and therefore can be used for data exfiltration. This query will identify use of bitsadmin.exe for either purpose and will identify directionality file transfer directionality.","Execution/BITSAdminActivity.yaml","","","Medium","Available","Scheduled","Persistence,CommandAndControl,Exfiltration","T1197,T1105,T1048","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.ProcessCommandLine has ""/Upload"" | DeviceProcessEvents.ProcessCommandLine has_any ""/Transfer""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "174de33b-107b-4cd8-a85d-b4025a35453f","Office Apps Launching Wscipt","analytic_rule","This query was originally published in the threat analytics report, Trickbot: Pervasive & underestimated. Trickbot is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment co","Execution/OfficeAppsLaunchingWscript.yaml","","","Medium","Available","Scheduled","Execution,Collection,CommandAndControl","T1059,T1105,T1203","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.InitiatingProcessFileName in~ ""excel.exe,outlook.exe,winword.exe"" | DeviceProcessEvents.ProcessCommandLine has "".jse""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "12134de5-361b-427c-a1a0-d43f40a593c4","Detect Potential Kerberoast Activities","analytic_rule","This query aim to detect if someone requests service tickets (where count => maxcount) The query requires trimming to set a baseline level for MaxCount Mitre Technique: Kerberoasting (T1558.003) @MattiasBorg82","Execution/PotentialKerberoastActivities.yaml","","","Medium","Available","Scheduled","CredentialAccess","T1558.003","MicrosoftThreatProtection","has_query","","","IdentityLogonEvents.ActionType == ""LogonSuccess"" | IdentityLogonEvents.Protocol == ""Kerberos"" | _Computed.AttackTechniques has ""T1558.003""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" -"3ab04acf-e0e7-4f7c-8995-748ab4c848c2","Files Copied to USB Drives","analytic_rule","This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.","Exfiltration/FilesCopiedToUSBDrives.yaml","","","High","Available","Scheduled","Exfiltration","T1041","MicrosoftThreatProtection","has_query","","","DeviceEvents.ActionType in ""FileCreated,UsbDriveMounted""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" +"3ab04acf-e0e7-4f7c-8995-748ab4c848c2","Files Copied to USB Drives","analytic_rule","This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. But be aware that Advanced Hunting is not monitoring all the file types.","Exfiltration/FilesCopiedToUSBDrives.yaml","","","High","Available","Scheduled","Exfiltration","T1041","MicrosoftThreatProtection","has_query","","","DeviceFileEvents.ActionType in ""FileCreated,UsbDriveMounted""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "506f4d6b-3864-4bb1-8f75-a13fb066f97a","MosaicLoader","analytic_rule","This query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.","Exploits/MosaicLoader.yaml","","","High","Available","Scheduled","DefenseEvasion","T1562","MicrosoftThreatProtection","has_query","","","DeviceRegistryEvents.ActionType == ""RegistryValueSet""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "e5f8e196-3544-4a8b-96a9-17c1b6a49710","Unusual Volume of file deletion by users","analytic_rule","This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This applies to SharePoint and OneDrive users. Audit event and Cloud application identifier references. Reference - https://learn.microsoft.com/microsoft-365/compliance/audit-log-activities?view=o365-worldwide Reference - https://learn.microsoft.com/azure/sentinel/entities-reference#cloud-application-identifiers","Impact/AnomalousVoulmeOfFileDeletion.yaml","","","High","Available","Scheduled","Impact","T1485","MicrosoftThreatProtection","has_query","","","","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "35ab0d58-baab-4154-87ed-fa2f69797e9e","Remote File Creation with PsExec","analytic_rule","This query was originally published in the threat analytics report, Ryuk ransomware. There is also a related blog. Ryuk is human-operated ransomware. Much like DoppelPaymer ransomware, Ryuk is spread manually, often on networks that are already infected with Trickbot. Ryuk operators use PsExec to manually spread the ransomware to other devices. The following query detects remote file creation events that might indicate an active attack. The See also section below lists links to other queries ass","Lateral Movement/RemoteFileCreationWithPsExec.yaml","","","High","Available","Scheduled","LateralMovement","T1570","MicrosoftThreatProtection","has_query","","","DeviceFileEvents.FolderPath has ""\\\\"" | DeviceFileEvents.InitiatingProcessCommandLine !has "".ps1"" | DeviceFileEvents.InitiatingProcessCommandLine has "".bat"" | DeviceFileEvents.InitiatingProcessCommandLine has ""accepteula""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" @@ -2480,7 +2492,7 @@ "54ea2379-28e7-48e1-8dfd-aaf8fb1331ba","Regsvr32 Rundll32 with Anomalous Parent Process","hunting_query","This query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe.","Defense Evasion/Regsvr32Rundll32WithAnomalousParentProcess.yaml","","","","","","DefenseEvasion","T1218.010,T1218.011","MicrosoftThreatProtection","has_query","","","DeviceNetworkEvents.RemoteIPType == ""Public""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7","Detect Suspicious Commands Initiated by Webserver Processes","hunting_query","Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery.","Discovery/SuspiciousCommandInitiatedByWebServerProcess.yaml","","","","","","Execution,DefenseEvasion,Discovery","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.InitiatingProcessFileName in ""beasvc.exe,httpd.exe,w3wp.exe"" | DeviceProcessEvents.InitiatingProcessFileName startswith ""tomcat"" | DeviceProcessEvents.InitiatingProcessParentFileName in ""beasvc.exe,httpd.exe,w3wp.exe"" | DeviceProcessEvents.InitiatingProcessParentFileName startswith ""tomcat"" | DeviceProcessEvents.ProcessCommandLine contains ""%temp%"" | DeviceProcessEvents.ProcessCommandLine has ""certutil"" | DeviceProcessEvents.ProcessCommandLine has ""ipconfig"" | DeviceProcessEvents.ProcessCommandLine has ""ping"" | DeviceProcessEvents.ProcessCommandLine has ""systeminfo"" | DeviceProcessEvents.ProcessCommandLine has ""timeout"" | DeviceProcessEvents.ProcessCommandLine has ""wget"" | DeviceProcessEvents.ProcessCommandLine has ""whoami""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "29683151-e15d-4c0c-845b-892be89bf080","Enumeration of Users & Groups for Lateral Movement","hunting_query","This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement.","Discovery/User&GroupEnumWithNetCommand.yaml","","","","","","","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.ProcessCommandLine !contains ""/add"" | DeviceProcessEvents.ProcessCommandLine !contains ""\\"" | DeviceProcessEvents.ProcessCommandLine contains ""/do"" | DeviceProcessEvents.ProcessCommandLine contains ""/domain"" | DeviceProcessEvents.ProcessCommandLine contains ""group"" | DeviceProcessEvents.ProcessCommandLine contains ""user""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" -"14694b88-a6e9-4cd1-9c4a-e382bdd82d8d","Anomalous Payload Delivered from ISO files","hunting_query","This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files.","Execution/AnomalousPayloadDeliveredWithISOFile.yaml","","","","","","Execution","T1204","MicrosoftThreatProtection","has_query","","","DeviceEvents.ActionType == ""BrowserLaunchedToOpenUrl"" | DeviceEvents.RemoteUrl !startswith ""C:"" | DeviceEvents.RemoteUrl endswith "".lnk""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" +"14694b88-a6e9-4cd1-9c4a-e382bdd82d8d","Anomalous Payload Delivered from ISO files","hunting_query","This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files.","Execution/AnomalousPayloadDeliveredWithISOFile.yaml","","","","","","Execution","T1204","MicrosoftThreatProtection","has_query","","","DeviceEvents.RemoteUrl !startswith ""C:"" | DeviceEvents.RemoteUrl endswith "".lnk"" | DeviceProcessEvents.ActionType == ""BrowserLaunchedToOpenUrl""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "bba7bbbe-5aa3-4c08-bd23-dd6cd8ccaf20","Bitsadmin Activity","hunting_query","This query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader.","Execution/BitsadminActivity.yaml","","","","","","Persistence,CommandAndControl,Exfiltration","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.ProcessCommandLine has ""/Upload"" | DeviceProcessEvents.ProcessCommandLine has_any ""/Transfer""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "7a5597de-7e99-470d-944f-acb163b9cb14","Detect Malicious use of MSIExec","hunting_query","This query detects possible download and execution using Msiexec.","Execution/MaliciousUseOfMSIExec.yaml","","","","","","Execution,PrivilegeEscalation,CredentialAccess","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.ProcessCommandLine has ""http"" | DeviceProcessEvents.ProcessCommandLine has ""return""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "58e6170e-0512-4485-9638-463fdde85b0e","Detect Malicious use of Msiexec Mimikatz","hunting_query","This query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool.","Execution/MaliciousUseOfMsiExecMimikatz.yaml","","","","","","Execution,CredentialAccess,PrivilegeEscalation","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.InitiatingProcessFileName =~ ""msiexec.exe"" | DeviceProcessEvents.ProcessCommandLine contains ""privilege::"" | DeviceProcessEvents.ProcessCommandLine contains ""token::"" | DeviceProcessEvents.ProcessCommandLine has ""sekurlsa""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" @@ -2489,7 +2501,7 @@ "3842e70d-45be-43b1-8206-4ebc4c305f34","PowerShell Downloads","hunting_query","The query searches for PowerShell execution events that could involve a download.","Execution/PowerShellDownloads.yaml","","","","","","Execution","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.ProcessCommandLine has ""DownloadFile"" | DeviceProcessEvents.ProcessCommandLine has ""IEX"" | DeviceProcessEvents.ProcessCommandLine has ""Invoke-Shellcode"" | DeviceProcessEvents.ProcessCommandLine has ""Invoke-WebRequest"" | DeviceProcessEvents.ProcessCommandLine has ""Net.WebClient"" | DeviceProcessEvents.ProcessCommandLine has ""Start-BitsTransfer"" | DeviceProcessEvents.ProcessCommandLine has ""http"" | DeviceProcessEvents.ProcessCommandLine has ""mpcmdrun.exe""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "761230a3-71ad-4522-bfbc-1dca698ffc42","Webserver Executing Suspicious Applications","hunting_query","This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript).","Execution/SuspiciousAppExeutedByWebserver.yaml","","","","","","Execution","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.InitiatingProcessFileName in~ ""httpd.exe,w3wp.exe""","","","Solution","","","","","false","Microsoft Defender XDR","Microsoft Defender XDR","https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR","true" "81f02314-2ff5-45cb-a35d-0deb546a0104","Detect Suspicious Mshta Usage","hunting_query","This query detects when mshta.exe has been run, which might include illegitimate usage by attackers.","Execution/SuspiciousMshtaUsage.yaml","","","","","","Execution","","MicrosoftThreatProtection","has_query","","","DeviceProcessEvents.InitiatingProcessCommandLine contains ""